ipsec patches test: minor compilation and policy match issues
Sun, 25 Jul 2004 11:40:56 +0200 (CEST)
On Fri, 23 Jul 2004, Patrick McHardy wrote:
> > But seriously speaking I think conntrack may need to be split in two for
> > this to work properly: prerouting to associate packet with connection for
> I've thought about this, but I can't imagine how it would work, you
> have to deal with all kinds of races ..
conntrack should be manageable in this I think, but NAT looks like a
nightmare.. In any event it is a major change of connection tracking and
most likely outside what is realistic to do during a "stable" kernel
For now I think it is better to make use of the raw table and accept the
duplicate policy check on ipsec traffic, if of too heavy add a skb flag
indicating the policy check is already done.