Am Freitag, 22. April 2005 02:18 schrieb jamal:
> On Fri, 2005-22-04 at 09:58 +1000, Herbert Xu wrote:
> > On Thu, Apr 21, 2005 at 07:50:19PM -0400, jamal wrote:
> > > What was the reason there exist a FWD direction in the policies?
> > You should really ask Alexey about that :) I myself had the same
> > question when I first started in this area. However, since it
> > has been present since the very beginning and people are already
> > relying on it, we will have to live with it.
> I am sure if Alexey did it theres a good reason - I am not sure i get
> it. CCing mr Kuznet.
> > > Also - shouldnt the FWD policies closely match the OUT ones instead of
> > > the IN direction (browsing the forwarding code)? i.e
> > > does this look odd to you (picking a sample from Wolfgangs output):
> > The FWD policies are analogous to the FORWARD table in netfilter.
> > The FWD policies apply to forwarded packet, meaning packets that
> > end up in ip_forward instead of ip_local_deliver. The IN policies
> > only apply to packets that end up in ip_local_deliver.
> Heres what confused me when i browsed:
> looking at ip_forward() - it does a xfrm4_policy_check(NULL,
> XFRM_POLICY_FWD, skb) - this leads to a flow cache creation based on
> FWD direction. Later on in the path (still in ip_forward)
> xfrm4_route_forward() gets invoked which does a flow_cache build again
> based on XFRM_POLICY_OUT.
> So i was wondering whether they OUT shouldnt be just a duplicate of
> FWD (instead FWD seems to be the dup of IN). Look at that sample i
> posted - all his policies look like that. What gives? Why are the IN and
> FWD exactly the same? bug in racoon/setkey?
No. XFRM_POLICY_IN is only checked for incoming packets which are delivered
XFRM_POLICY_FWD is checked for incoming packets which are routed.
That our XFRM_POLICY_IN matches XFRM_POLICY_FWD is more for convenience: if a
subnet is connected directly to a router we want to treat the interface
address of the router itself the same way. Instead of constructing special
rules which exactly match the interface address we simply use the same rule
as for forwarding.
XFRM_POLICY_OUT ist checked for every outgoing packet, be it locally generated
be it routed (which is different from netfilter).
This asymmetry is a little bit inconsequent. Probably one should really have
XFRM_POLICY_FWD_IN and XFRM_POLICY_FWD_OUT. But XFRM_POLICY_OUT would mainly
be a copy of XFRM_POLICY_FWD_OUT then, I think.
Anstalt des öffentlichen Rechts