On Sat, Jun 28, 2003 at 05:26:40PM +1000, herbert wrote: > > > Anyway, let's think simpler: what policy do you set on output? > > Why is the symmetric reflection of this policy on input not enough? > > Indeed, the same problem probably exists on output. > > It's sufficient from the kernel's point of view. But it makes the KM's Actually, there is asymmetry here. On the out path, we call ip_route_output_key recursively in bundle_create which handles nested SAs correctly. There is no such recursion in policy_check for inbound packets. -- Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ ) Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
