[Openswan dev] decrypted packet appears at wrong ipsec interface
Paul Wouters
paul at xelerance.com
Mon Sep 8 10:09:24 EDT 2008
On Mon, 8 Sep 2008, hiren joshi wrote:
>> That seems like a step in the right direction. Though we should see if we
>> can determine this properly by looking up the ipsecX interface belonging to
>> the skb->dev->name ethX interface.
>
> The code was just for a PoC.
I know. Thanks for that.
> The comment says that there is some motivation for fudging ipsec0 for
> NATed connections.
>
> /* XXX fudge it so that all nat-t stuff comes from ipsec0 */
> /* eventually, the SA itself will determine which device
> * it comes from
> */
> {
> skb->dev = ipsec_get_device(0);
> }
>
> Would it be proper to override this fudging by mapping ipsecX to ethX?
Yes, that would be the proper fix. I am not sure yet if there was a
reason this needed to be fudged.
Paul
More information about the Dev
mailing list