On Wed, Jan 25, 2006 at 10:25:27AM +0100, Patrick McHardy wrote: > > I don't like adding this special behaviour for NAT, people need > to adjust their rulesets for filtering etc. anyway. We could stop > rerouting packets in between transforms (when both dst->xfrm and > IPSKB_XFRM_TRANSFORMED are set), but this is inconsistent with what > happens on input, when a packet is DNATed in PRE_ROUTING it does
Actually we can never achieve perfect symmetry because the two cases are fundamentally different. On outbound we start with a template which guides us all the way to the end. On inbound we (currently) don't determine the policy until the very end. > affect the SA lookup. So I think I'd prefer handling this case in > xfrm[46]_output_finish, but I need to think about it a bit more. Having said that I'm certainly not averse to such a solution. The only thing I would like to see is for it to be flexible enough so that you always get at least one chance to SNAT before the xfrm_policy is completely pinned down. This should leave the user with enough flexibility to do whatever they wish. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
