On Tuesday 2009-02-17 19:46, Joe Pruett wrote: > On Tue, 17 Feb 2009, Jan Engelhardt wrote: > >> ipip is not used for ipsec. > > my reading of the code was that in tunnel mode, the next protocol > header is ip and so the packet then gets handed off to the ip-ip > handler. Still the ipip.ko module (used for creating an explicit tunnel interface) is not used nor required to be loaded. When an ESP packet with IPv4 outer address is received, the function ip_rcv() will eventually deal with it, moved to the xfrm decoder and then reinjected by calling netif_rx (see xfrm_input.c) on the skb with its decoded payload. Also, do not confuse IP-in-ESP-over-IPv4 with IP-(in/over)-IP. For about every router and subsystem other than xfrm, there is no way to look into ESP payload and hence, it's just ESP-on-IPv4 or ESP-on-IPv6. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
