On Tue, Sep 30, 2003 at 02:32:43AM -0700, David S. Miller wrote: > On Sun, 28 Sep 2003 13:25:22 +1000 > Herbert Xu <herbert@gondor.apana.org.au> wrote: > > > I'm revisiting the idea of more stringent policy checks. In doing so I > > discovered that we check the policy twice for xfrm4_tunnel packets. > > This patch fixes that by moving the policy check into ipip.c. > > What is the code path where we check things twice? Consider the case of IPCOMP(tunnel)+ESP(transport) where the packet is incompressible. After ESP decapsulation, we check the policy in ip_input.c before passing control over to xfrm4_tunnel.c. After the IPIP decapsulation, we repeat the check either in ip_input.c or ip_forward.c. The first check is redundant and possibly misleading. Cheers, -- Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ ) Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
