Hi Guys, Guidance is needed to verify small user space ipsec application design using netlink socket. The architecture looks something like this- - Install iptable rules (to match certain ipsec policies) and get the packet in user-space using nf_queue target. - Do the IPSec part and send the processed packet out. - To optimize use memory mapped IO as in https://lwn.net/Articles/512442/ - An important point here is - Kernel transport and IP stack will be building the complete IP packet, data of which comes from some user space process like (ssh), so the iptable rule has to be applied after IP layer, maybe post routing. Is it a feasible thing? Please provide your comments. Thanks, Prashant -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
