[Openswan dev] decrypted packet appears at wrong ipsec interface

hiren joshi joshihirenn at gmail.com
Mon Sep 8 10:11:28 EDT 2008


Thanks much for your reply.

> That seems like a step in the right direction. Though we should see if we
> can determine this properly by looking up the ipsecX interface belonging to
> the skb->dev->name ethX interface.

The code was just for a PoC.

The comment says that there is some motivation for fudging ipsec0 for
NATed connections.

        /* XXX fudge it so that all nat-t stuff comes from ipsec0    */
        /*     eventually, the SA itself will determine which device
         *     it comes from
         */
        {
          skb->dev = ipsec_get_device(0);
        }

Would it be proper to override this fudging by mapping ipsecX to ethX?

Regards,
-hiren


More information about the Dev mailing list