Lately I have been trying to do IPSEC module implementation for my
employer to 2.2 kernel without having to patch the kernel.
Explanation:----
I'm using ip_rcv and ip_queue_xmit (compiled ipv6 as module to get
queue_xmit). I do checking in call{in,out}_firewall() if I have already
hadled the packet in my ipsec module.
I could use skb->dst->output(skb); but then it would break possible
ipchain settings since outgoing pckets would no longer go trough it
(ipchains module has lowest priority)
problem however is fragmentation. If I send eg. ping packet which is
longer than 1500 bytes it will go trough ip_build_xmit_slow (instead of
ip_build_xmit or ip_queue_xmit) which will fragment it and then put it
trough firewall list and in firewall we have module which will store the
packet for later handling and return FW_QUEUE || FW_BLOCK.
when we have handled the packed (checked policies and {en,de}crypted data
/ done payloads) we want to send it out. I do this by calling
ip_queue_xmit() this sadly sets frag_off to 0.
Question:---
so is the only way to get this to work reassemble the packet in the
firewall modules own pseudo IP and then send it onwards to ip_queue_xmit ?
(not very nice way of doing it :/ ) or is there some better way of doing
this?
--
Janne P�nk�l�
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
