[Openswan Users] Routing on a bigger network
Herbert Xu
herbert at gondor.apana.org.au
Wed Feb 2 13:38:58 CET 2005
Paul Wouters <paul at xelerance.com> wrote:
>
> No, it will be even harder, because KLIPS does (against RFC) longest-match
> first, so you cna have policies for 10.0.0.0/16 and 10.0.0.0/24, and packets
> for 10.0.0.3 will enter the latter tunnel instead of the former. NETKEY does
> it based on the order of when you added the policies into the kernel.
This is not the complete story. The native stack sorts policies using
an arbitrary 32-bit integer. This provides complete freedom to the user
in determining the order of policies.
For example, Openswan's kernel_netlink.c implementation uses that integer
to achieve exactly the same ordering as is used under KLIPS.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
More information about the Users
mailing list