Question about tunnels, IPsec and redirect

bill4carson bill4carson at
Sat Sep 28 22:23:37 EDT 2013

Hi, Kevin

On 2013年09月26日 15:31, Kevin Wilson wrote:
> Hi,
> Of course.
> But the (unanswered) question is:
> when sp is non NULL and we are working with IPsec, why shoudn't we
> send redirect in such a case ?

Apologize for replying late.

I think you probably missing what "ICMP redirect" does, if so please
take a look at this link:

My understanding is:
If host is protected by gateway A using IPsec, even if a better routing for host is
gateway B, gateway A cannot tell host to using gateway B as next hop(sending redirect),
as IPsec policy is on gateway A only, not necessarily on gateway B.

I think this is scenario that the patch is try to describe.

> rgs
> Kevin
> On Thu, Sep 26, 2013 at 10:02 AM, bill4carson<bill4carson at>  wrote:
>> Hi Kevin
>> On 2013年09月25日 02:52, Kevin Wilson wrote:
>>> Hi,
>>> I am looking at this patch:
>>> and I cannot understand it. Can somebody please try
>>> to explain ?
>>> more specifically:
>>> Can somebody please give an example of some setup of IPsec tunnel
>>> where the ip_rt_send_redirect() method should not be called when the
>>> skb->sp is not NULL ?
>> +       if (rt->rt_flags&RTCF_DOREDIRECT&&  !opt->srr&&  !skb->sp)
>>                                                            ^^^^^^^
>> If IPsec policy is not enabled for a specific flow that this skb matches,
>> skb->sp is NULL.
>>> (in other words, why if the SKB is and IPsec SKB, we should not send a
>>> redirect in such a case while forwarding a packet; note I am talking
>>> about  IPv4)
>>> Note that the check for skb->sp was changed in recent kernels to
>>> skb_sec_path(skb), but it is essentially the same.
>>> Regards,
>>> Kevin
>>> _______________________________________________
>>> Kernelnewbies mailing list
>>> Kernelnewbies at
>> --
>> 八百里秦川尘土飞扬,三千万老陕齐吼秦腔。
>> --bill



More information about the Kernelnewbies mailing list