Hello! > There is one other problem though with nested policies. We only check > the out-most policy in such a case. To solve that problem, we should > invoke xfrm_policy_check recursively. I do not understand. The policy applies only to the content. Compare with output, where policy applies to original packet and all the transofmration are derived from this. On input the order is symmetrical, and this is the policy which IKEs install. Alexey - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
