Herbert Xu wrote:
On Wed, Mar 23, 2005 at 09:43:40PM -0800, David S. Miller wrote:
This patch (not entirely reviewed myself yet) contains the parts
necessary for hooking output IPsec packets for netfilter.
This is actually much cleaner than I had ever anticipated.
I like it.
I completely agree. The output patch is an elegant piece of work.
Thanks. Unfortunantely it might need to be replaced because of
issues with the input side.
I suppose the input side will be quite a bit more involved?
Maybe it won't be that bad when we actually see it :)
Stealing the packets in xfrm_policy_check() didn't work out, a packet
can be checked multiple times, and before all IPsec processing is
done, because of raw sockets. Even worse, a raw socket can have its
own policy and accept packets that will be further processed by
IPsec. This suggests that the whole idea of skipping netfilter hooks
before all IPsec processing is done was wrong and we need to call
them on each pass through the stack as usual to be able to filter
before raw sockets. For symetry in the output path we would need to
pass the packet through POST_ROUTING and OUTPUT for each tunnel mode
transform. I wanted to avoid this so far because I can't think of
anything useful netfilter could do between two transforms on output,
but the good part is that it shouldn't require any changes in the
input path. I'm trying it now ..
BTW Patrick, what about the other bits in your original patch set?
In particular, have you still got the bit that does policy lookups
I haven't got up-to-date patches, but Christophe Saoute has ported
them to 2.6.12-rc1 and published on his page:
There are two patches that will probably be required either way,
the policy lookup after SNAT patch you mentioned, and a patch that
adds a function to restore struct flowi as it would have looked
without NAT for policy checks. Both are small and should be