ipsec patches test: minor compilation and policy match issues

[Patrick McHardy]

Henrik Nordstrom wrote:
> 
> This general problem of conntrack when applying policies on packets
> flows.. Spoofed packets arriving from an untrusted source will disrupt
> conntrack states unless filtering is applied before conntrack.
> 
> In normal traffic this can be solved by using the raw table to enforce the
> anti-spoof policy by dropping illegal traffic flows before seen by
> conntrack.  I suppose something similar could be done with ipsec traffic?

Yes.

> It would obviously be very nice for conntrack if the ipsec policy checks
> could be applied in prerouting before conntrack, but I am not sure how
> feasible this is.. It is not exacly a natural point for ipsec to apply 
> policy checks in prerouting..

It can be done easily, when the packets hit netfilter decapsulation is
already done, we just need to add a call to xfrm4_policy_check().
The drawback is that policy checks would be performed twice on valid
packets.

Regards
Patrick