Hi, Kevin On 2013年09月26日 15:31, Kevin Wilson wrote: > Hi, > Of course. > But the (unanswered) question is: > when sp is non NULL and we are working with IPsec, why shoudn't we > send redirect in such a case ? Apologize for replying late. I think you probably missing what "ICMP redirect" does, if so please take a look at this link: http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml My understanding is: If host is protected by gateway A using IPsec, even if a better routing for host is gateway B, gateway A cannot tell host to using gateway B as next hop(sending redirect), as IPsec policy is on gateway A only, not necessarily on gateway B. I think this is scenario that the patch is try to describe. > rgs > Kevin > > On Thu, Sep 26, 2013 at 10:02 AM, bill4carson<bill4carson@xxxxxxxxx> wrote: >> Hi Kevin >> >> >> On 2013年09月25日 02:52, Kevin Wilson wrote: >>> >>> Hi, >>> I am looking at this patch: >>> http://lists.openwall.net/netdev/2007/08/24/29 >>> and I cannot understand it. Can somebody please try >>> to explain ? >>> more specifically: >>> Can somebody please give an example of some setup of IPsec tunnel >>> where the ip_rt_send_redirect() method should not be called when the >>> skb->sp is not NULL ? >> >> >> + if (rt->rt_flags&RTCF_DOREDIRECT&& !opt->srr&& !skb->sp) >> ^^^^^^^ >> If IPsec policy is not enabled for a specific flow that this skb matches, >> skb->sp is NULL. >> >> >> >>> (in other words, why if the SKB is and IPsec SKB, we should not send a >>> redirect in such a case while forwarding a packet; note I am talking >>> about IPv4) >>> >>> Note that the check for skb->sp was changed in recent kernels to >>> skb_sec_path(skb), but it is essentially the same. >>> >>> >>> Regards, >>> Kevin >>> >>> _______________________________________________ >>> Kernelnewbies mailing list >>> Kernelnewbies@xxxxxxxxxxxxxxxxx >>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies >>> >> >> -- >> 八百里秦川尘土飞扬,三千万老陕齐吼秦腔。 >> >> --bill > -- 八百里秦川尘土飞扬,三千万老陕齐吼秦腔。 --bill _______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
