[NF+IPsec 4/6]: Make IPsec input processing symetrical to output
Herbert Xu
herbert at gondor.apana.org.au
Wed Oct 26 01:10:49 CEST 2005
On Wed, Oct 26, 2005 at 01:09:12AM +0200, Patrick McHardy wrote:
>
> > So how about this? We let the SA tell us whether they want to go through
> > netfilter again. So each SA will carry a flag which determines whether
> > packets through it should go through netfilter.
> >
> > This flag would only affect transport mode SAs of course.
>
> That would be one possibility. But I'm not a big fan of per-state flags
> that affect packet flow, so I think I'd prefer to just ignore this
> case. I don't think not handling inner transport mode SAs would be a
> big loss, so how about we just skip inner transport mode SAs completely
> on output and keep the input code as it is?
Actually I was thinking of transport mode SAs with no accompanying
tunnel mode SAs. Did you have another way of dealing with them?
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
More information about the netfilter-devel
mailing list