Hello Herbert, As of what the IKE daemon is concerned, this is a kernel specific aspect and a SPD add is generic and should not have any notion of table or IN/FW/OUT path. This is ip/ipsec stack notion as from one stack to the other the inbound path could be the same as the forward one (in my actual work, this is the case). If the pfkey interface is used (which is the case in isakmpd and racoon), the daemon will set SPD entries (well ok, seems that racoon rely on external SPD management and isakmpd do it in a half way) without any notion of policy check level (aka where in the stack the check is). Hopefully, when a policy is added, it is done the same way both in IN/OUT/FW (or only the direction=inbound in IN, both in FW, and direction=outbound in OUT). On Sun, Jun 22, 2003 at 02:07:01PM +1000, Herbert Xu wrote: > Is it correct that for an inbound policy to be completely effective, > it needs to be added to both the XFRM_POLICY_IN table as well as the > XFRM_POLICY_FWD table? > > I'm asking because it seems that neither racoon nor isakmpd adds anything > to the forward table. Or did I miss them? > > Cheers, > -- > Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ ) > Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> > Home Page: http://gondor.apana.org.au/~herbert/ > PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt > - > : send the line "unsubscribe linux-net" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- -> Jean-Francois Dive --> jef@linuxbe.org There is no such thing as randomness. Only order of infinite complexity. - Marquis de LaPlace - deterministic Principles - - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
