On Tue, 30 Sep 2003 19:43:32 +1000 Herbert Xu <herbert@gondor.apana.org.au> wrote: > Consider the case of > > IPCOMP(tunnel)+ESP(transport) > > where the packet is incompressible. After ESP decapsulation, we > check the policy in ip_input.c before passing control over to > xfrm4_tunnel.c. After the IPIP decapsulation, we repeat the check > either in ip_input.c or ip_forward.c. > > The first check is redundant and possibly misleading. If the ESP rule we match says "only if IPIP/IPCOMP is inside", the the first check after ESP decapsulation (which you are saying is redundant) is needed. I thought this was one of the major features of policies, you can say what inner protocols must be there after decap. I mean, what if we have something like the following (albeit silly) example: ESP+IPCOMP+ESP (ISAKMP probably does not allow such things to be negotiated but please ignore that for the purpose of my argument) We need to redo the check on each and every re-input of the packet. I'm probably being dense, if so please help me :) - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
