Am Sonntag, 20. November 2005 17:31 schrieb Patrick McHardy: Hi! > - policy lookups after NAT: > > When NAT changes a packet it already calls ip_route_me_harder, which > reroutes the packet and does a new policy lookup. It only looks at > the IP addresses however, changing the port numbers require a new > policy lookup as well. It also doesn't reroute in POST_ROUTING, since > the packet has already been routed. To behave more like a regular > tunnel device a policy lookup is now also done after SNAT and the > packet is passed to dst_output again if the lookup yielded a new > policy.
I suppose, this is the reason, why masqueraded packages leave a recent kernel unencrypted, even if they would match the policy. It's still not implemented in mainline. Am I right? If yes, I hope your patches will be merged as soon as possible :-) regards, Jörg -- Hi! I'm a .signature virus! Copy me into your signature to help me spread!.-. PGP Key: send mail with subject 'SEND PGP-KEY' PGP Key-ID: FD 4E 21 1D oo| PGP Fingerprint: 388A872AFC5649D3 BCEC65778BE0C605 _ // /`'\ I am Ohm of Borg. Resistance is voltage divided by current. \X/ (\_;/) - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
