On Tue, 17 Feb 2009, Jan Engelhardt wrote:
Still the ipip.ko module (used for creating an explicit tunnel interface) is not used nor required to be loaded. When an ESP packet with IPv4 outer address is received, the function ip_rcv() will eventually deal with it, moved to the xfrm decoder and then reinjected by calling netif_rx (see xfrm_input.c) on the skb with its decoded payload. Also, do not confuse IP-in-ESP-over-IPv4 with IP-(in/over)-IP. For about every router and subsystem other than xfrm, there is no way to look into ESP payload and hence, it's just ESP-on-IPv4 or ESP-on-IPv6.
i have to now beg forgivness. i think i ended up doing some of my testing on a rhel/centos 4 box which is only 2.6.9 with ipsec backported. now that i correctly tested on my version 5 box, everything is working as i expect. follow that with a few minutes of code reading and i convinced myself that host2host just wasn't doing what i wanted. i'll go crawl back under the rocks now :-).
-- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
