[Openswan dev] klips and ethernet headers ?

Harald Jenny harald at a-little-linux-box.at
Thu Nov 18 11:41:34 EST 2010 

On Thu, Nov 18, 2010 at 10:40:19PM +1000, David McCullough wrote:
> 
> Jivin Harald Jenny lays it down ...
> > On Thu, Nov 18, 2010 at 10:04:28PM +1000, David McCullough wrote:
> > > 
> > > Jivin Harald Jenny lays it down ...
> > > > On Thu, Nov 18, 2010 at 09:39:29PM +1000, David McCullough wrote:
> > > > > 
> > > > > Hi all,
> > > > 
> > > > Hi David
> > > > 
> > > > > 
> > > > > Here's a question that hopefully someone knows the answer to ;-)
> > > > > 
> > > > > Currently openswan is not providing the "correct" MAC addresses if you tcpdump
> > > > > the ipsecX interfaces.  Not suprising since klips is not an ethernet
> > > > > driver ;-)  You see the ipsecX MAC address for both source and dest.
> > > > > This is filled out before klips sees the skb,  only header_ops may be able
> > > > > to clean it up.
> > > > > 
> > > > > So,  while it may be possible to fix this,  my first question is why does
> > > > > klips even try to do ethernet frame stuff ?  IPsec is not an ethernet level
> > > > > protocol.  All the saving/copying of the hard header and the complexity of
> > > > > the header_ops and mac header maintenance seems like something klips could
> > > > > do without.
> > > > > 
> > > > > Can anyone offer a reason this should be there ?  If not I may look at
> > > > > purging it all :-)
> > > > 
> > > > Hmmmm why not creating a branch for this, remove the code and test it? If the
> > > > reasons are historical (pre 2.4) then the problem has already gone away, if
> > > > not the testing may show them...
> > > 
> > > Yeah,  I thought it was a problem with the IPv6 branch,  so I checked it
> > > out.  Now I think it just unnessesary code :-)
> > 
> > Well maybe you should check with other non-Ethernet interfaces in the kernel?
> 
> Yeah,  well,  thats part of why I am asking.  Not much evidence of what
> klips is doing.

Hmmm ok

> 
> > > I thought I would throw it out there,  I want to finish ipv6 to the point
> > > where others can start playing.  Then I'll look more at this depending on the
> > > feedback.
> > 
> > Ok - btw is the ipv6 branch also suppsed to work without OCF?
> 
> Should do,  and if it doesn't I'll fix it.  Most of my testing is with OCF,
> but IIRC I started without it.  Need to go back and check it without,  esp.
> IPcomp.

Ah that sounds very good ;-).

> 
> Cheers,
> Davidm

Kind regards
Harald

> 
> -- 
> David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
> McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org

More information about the Dev mailing list