On Sun, Dec 04, 2005 at 11:06:02PM +0100, Patrick McHardy wrote: > > >I'm worried about this bit. This looks like it'll go back to the top > >of the IP stack with the existing call chain. So could grow as the > >number of transforms increase. > > Its not so bad. It adds ip_xfrm_transport_hook and > ip_local_deliver_finish to the call stack, but since two subsequent > transport mode SAs are always processed at once it can't take this > path again without calling netif_rx in between.
If there is a DNAT in the way, this will jump to the very start of the stack. So if we have a hostile IPsec peer, and the DNAT rules are such that this can occur, then we could be in trouble (especially because policy/selector verification does not occur until all IPsec has been done so we can't check inner address validitiy at this point). > Besides the double counting, packets also appear on the packet sockets > after transport mode decapsulation with the original approach. For > IPv6 there's also the double-parsing of extension header issue. Having the packets appear twice on AF_PACKET is probably desirable :) I'll need to think about the double-parsing though. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
