Herbert Xu wrote:
> On Sat, Nov 05, 2005 at 10:19:51AM +0100, Patrick McHardy wrote:
>
>>What I propose is to keep tunnel mode handling as it is, so
>>for each tunnel mode SA we hit PRE_ROUTING and LOCAL_IN in
>>the normal packet path. If the final SA is a transport mode
>>SA, we don't call netif_rx as in my first patchset, but pass
>>the packet through a new PRE_ROUTING hook in xfrm{4,6}_input
>>and LOCAL_IN afterwards. The packet won't be processed a second
>>time by the stack, just the netfilter hooks will be called.
>>NAT be will be handled manually for IPv4 by doing a new route
>>lookup and calling dst_input if NAT took place.
>
>
> In other words LOCAL_IN will still see the packet twice for
> pure transport mode packets? That's going to be a problem for
> me for the reasons that I outlined earlier:
>
> <[EMAIL PROTECTED]>
Well, once encapsulated and once decapsulated.
What I propose is actually exactly what you suggested in that mail:
> Would it be workable to try something like this? We invoke netfilter
> after each tunnel mode transform as we do now. In addition to that,
> we invoke netfilter at the very end of IPsec processing, that is,
> just before the point where the original xfrm*_rcv_encap would have
> returned.
In my last patchset I did it by calling netif_rx at that point,
now I want to add new hooks.
> Also, I thought Yoshifuji-san's objection is not just about
> transport mode packets passing through netif_rx twice, but
> passing through netfilter twice as well?
I think so, but he didn't mention a reason why he objects to it.
I also don't think it can be done otherwise while still keeping
netfilter "just working" for all cases, which IMO is highly
desirable.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
