Re: [PATCH 00/13]: Netfilter IPsec support
David S. Miller wrote: From: Patrick McHardy [EMAIL PROTECTED] Date: Sun, 20 Nov 2005 17:31:28 +0100 This is the latest netfilter/IPsec patchset. Its purpose is to make IPsec look as much as a normal tunnel device to netfilter as possible and to enable NAT support. I think there are some of these patches that we can merge in right now into net-2.6.16... I want to do this so that Patrick doesn't have to repost 13 or so patches every time one of the parts still under discussion gets changed. Actually, it seems the only part under discussion is how to avoid extension header reparsing and routing re-lookups on the ipv6 side. That could be fixed by a follow-on patch and is not %100 necessary for initial integration in my opinion. Can I get agreement on that? Patrick sends me a dump of the current state of his patch set right now, we put that into net-2.6.16, and fix problems with followon patches. Ok? I would appreciate that, but I want to have a look closer look at Herbert's patches first. Unfortunately its late and I have to get up early, so its going to take me a day. - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 00/13]: Netfilter IPsec support
Patrick McHardy [EMAIL PROTECTED] wrote: I would appreciate that, but I want to have a look closer look at Herbert's patches first. Unfortunately its late and I have to get up early, so its going to take me a day. How about merging the patches that everybody has agreed on first? So far, I haven't see any objections to patches 1 and 2 so they can go in straight away. They don't even touch IPv6. Patches 3-6 could become redundant if you go with my suggestion. The rest of them I haven't read yet so can't comment :) Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmVHI~} [EMAIL PROTECTED] Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 00/13]: Netfilter IPsec support
From: Patrick McHardy [EMAIL PROTECTED] Date: Wed, 23 Nov 2005 02:17:14 +0100 I would appreciate that, but I want to have a look closer look at Herbert's patches first. Unfortunately its late and I have to get up early, so its going to take me a day. Take your time :) - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 00/13]: Netfilter IPsec support
From: David S. Miller [EMAIL PROTECTED] Date: Tue, 22 Nov 2005 19:36:31 -0800 (PST) From: Herbert Xu [EMAIL PROTECTED] Date: Wed, 23 Nov 2005 12:35:53 +1100 How about merging the patches that everybody has agreed on first? So far, I haven't see any objections to patches 1 and 2 so they can go in straight away. They don't even touch IPv6. Patches 3-6 could become redundant if you go with my suggestion. The rest of them I haven't read yet so can't comment :) View the net-2.6.16 GIT tree as a sort of playpen, much like -mm, until we get close to the real 2.6.16 upstream development openning up. I rebase all the time, and I can pluck out and change patches at will. Then I agree. It can increase the number of tester, I think. -- Yasuyuki Kozakai - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 00/13]: Netfilter IPsec support
Am Sonntag, 20. November 2005 17:31 schrieb Patrick McHardy: Hi! - policy lookups after NAT: When NAT changes a packet it already calls ip_route_me_harder, which reroutes the packet and does a new policy lookup. It only looks at the IP addresses however, changing the port numbers require a new policy lookup as well. It also doesn't reroute in POST_ROUTING, since the packet has already been routed. To behave more like a regular tunnel device a policy lookup is now also done after SNAT and the packet is passed to dst_output again if the lookup yielded a new policy. I suppose, this is the reason, why masqueraded packages leave a recent kernel unencrypted, even if they would match the policy. It's still not implemented in mainline. Am I right? If yes, I hope your patches will be merged as soon as possible :-) regards, Jörg -- Hi! I'm a .signature virus! Copy me into your signature to help me spread!.-. PGP Key: send mail with subject 'SEND PGP-KEY' PGP Key-ID: FD 4E 21 1Doo| PGP Fingerprint: 388A872AFC5649D3 BCEC65778BE0C605 _ // /`'\ I am Ohm of Borg. Resistance is voltage divided by current. \X/ (\_;/) - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 00/13]: Netfilter IPsec support
Joerg Platte wrote: Am Sonntag, 20. November 2005 17:31 schrieb Patrick McHardy: Hi! - policy lookups after NAT: When NAT changes a packet it already calls ip_route_me_harder, which reroutes the packet and does a new policy lookup. It only looks at the IP addresses however, changing the port numbers require a new policy lookup as well. It also doesn't reroute in POST_ROUTING, since the packet has already been routed. To behave more like a regular tunnel device a policy lookup is now also done after SNAT and the packet is passed to dst_output again if the lookup yielded a new policy. I suppose, this is the reason, why masqueraded packages leave a recent kernel unencrypted, even if they would match the policy. It's still not implemented in mainline. Am I right? If yes, I hope your patches will be merged as soon as possible :-) You're right, that's the reason. Since the patches touch quite a lot of code they won't make it in 2.6.15, though. - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 00/13]: Netfilter IPsec support
Am Sonntag, 20. November 2005 19:07 schrieb Patrick McHardy: Hi! You're right, that's the reason. Since the patches touch quite a lot of code they won't make it in 2.6.15, though. Hmm, I can wait for 2.6.16. But I tried to figure out what's going wrong a couple of days. Now I know I'll just have to wait until it'll work as expected. regards, Jörg -- Hi! I'm a .signature virus! Copy me into your signature to help me spread!.-. PGP Key: send mail with subject 'SEND PGP-KEY' PGP Key-ID: FD 4E 21 1Doo| PGP Fingerprint: 388A872AFC5649D3 BCEC65778BE0C605 _ // /`'\ I am Ohm of Borg. Resistance is voltage divided by current. \X/ (\_;/) - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html