Question about tunnels, IPsec and redirect

Kevin Wilson wkevils at gmail.com
Thu Sep 26 03:31:11 EDT 2013


Hi,
Of course.
But the (unanswered) question is:
when sp is non NULL and we are working with IPsec, why shoudn't we
send redirect in such a case ?

rgs
Kevin

On Thu, Sep 26, 2013 at 10:02 AM, bill4carson <bill4carson at gmail.com> wrote:
> Hi Kevin
>
>
> On 2013年09月25日 02:52, Kevin Wilson wrote:
>>
>> Hi,
>> I am looking at this patch:
>> http://lists.openwall.net/netdev/2007/08/24/29
>> and I cannot understand it. Can somebody please try
>> to explain ?
>> more specifically:
>> Can somebody please give an example of some setup of IPsec tunnel
>> where the ip_rt_send_redirect() method should not be called when the
>> skb->sp is not NULL ?
>
>
> +       if (rt->rt_flags&RTCF_DOREDIRECT && !opt->srr && !skb->sp)
>                                                           ^^^^^^^
> If IPsec policy is not enabled for a specific flow that this skb matches,
> skb->sp is NULL.
>
>
>
>> (in other words, why if the SKB is and IPsec SKB, we should not send a
>> redirect in such a case while forwarding a packet; note I am talking
>> about  IPv4)
>>
>> Note that the check for skb->sp was changed in recent kernels to
>> skb_sec_path(skb), but it is essentially the same.
>>
>>
>> Regards,
>> Kevin
>>
>> _______________________________________________
>> Kernelnewbies mailing list
>> Kernelnewbies at kernelnewbies.org
>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>
>
> --
> 八百里秦川尘土飞扬,三千万老陕齐吼秦腔。
>
> --bill



More information about the Kernelnewbies mailing list