On Tue, Sep 30, 2003 at 02:48:10AM -0700, David S. Miller wrote: > > I mean, what if we have something like the following (albeit silly) > example: > > ESP+IPCOMP+ESP > > (ISAKMP probably does not allow such things to be negotiated but > please ignore that for the purpose of my argument) > > We need to redo the check on each and every re-input of the packet. If all three SAs are for the local host, then only one policy check is necessary. That is the one which is performed after all three SAs have been decapped. If you check the policy any earlier in your case, it will fail assuming both ESP SAs are required by the policy. In my case, the earlier check works because the IPCOMP SA is marked optional. Cheers, -- Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ ) Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
