From: Patrick McHardy <[EMAIL PROTECTED]> Date: Mon, 21 Nov 2005 07:52:36 +0100
> I don't see why it is confusing. Plain text packets are visible before > encapsulation (and they have to be because we don't necessarily know > if packets will be encapsulated at the time the hooks are called in > case the policy lookup after NAT returns a policy), plain text packets > are visible after decapsulation. With different hooks we can't have > symetrical behaviour because of the case I mentioned above, and that > would be confusing IMO. I think this is a very important point. I can see no serious argument against this behavior, especially for output. On input, there is an argument of paranoia about seeing plaintext packets, but administrator could do this anyways with tcpdump or custom kernel module if this system is the decapsulation point. I've read over Patrick's two most recent postings of these patches and I think they are generally sane and I cannot find any holes in them. Herbert brought up the legitimate concern about defragmentation, but I think that's a detail and does not take away from the structural soundness of Patrick's approach. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html