Joerg Platte wrote:
Am Sonntag, 20. November 2005 17:31 schrieb Patrick McHardy:
Hi!
- policy lookups after NAT:
When NAT changes a packet it already calls ip_route_me_harder, which
reroutes the packet and does a new policy lookup. It only looks at
the IP addresses however, changing the port numbers require a new
policy lookup as well. It also doesn't reroute in POST_ROUTING, since
the packet has already been routed. To behave more like a regular
tunnel device a policy lookup is now also done after SNAT and the
packet is passed to dst_output again if the lookup yielded a new
policy.
I suppose, this is the reason, why masqueraded packages leave a recent kernel
unencrypted, even if they would match the policy. It's still not implemented
in mainline. Am I right? If yes, I hope your patches will be merged as soon
as possible :-)
You're right, that's the reason. Since the patches touch quite a lot of
code they won't make it in 2.6.15, though.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
