[NF+IPsec 4/6]: Make IPsec input processing symetrical to output
Patrick McHardy
kaber at trash.net
Sat Nov 5 08:55:44 CET 2005
Herbert Xu wrote:
> On Thu, Oct 27, 2005 at 11:57:32PM +0900, YOSHIFUJI Hideaki / ?$B5HF#1QL@ wrote:
>
>>Well, I really care.
>>I strongly believe that we SHOULD NOT mix encrypted
>>packets and plain text packets at the same hook.
>>e.g. LOCAL_IN is NOT for decrypted plain text packets,
>>but for the original encrypted ones.
>
>
> OK. Would it be workable for you if LOCAL_IN only saw the decrypted
> packets without ever seeing the encrypted ones?
How exactly would that work? I guess we couldn't do NAT with
the encrypted packet anymore?
> I'd like to know where the boundaries are so we can find a compromise
> that works for everyone.
I would prefer something similar to the second set of patches.
Instead of calling netif_rx we could use NF_HOOK and simulate
the relevant parts of the input path for IPv4 and NAT. This
would assure that statistics are still correct and tcpdump is
not affected, which were Yoshifuji's biggest concerns if I
understood correctly.
More information about the netfilter-devel
mailing list