From: Steffen Klassert <steffen.klassert@secunet•com>
To: Saurabh Mohan <saurabh.mohan@vyatta•com>
Cc: netdev@vger•kernel.org
Subject: Re: [net-next PATCH 01/02] net/ipv4: VTI support rx-path hook in xfrm4_mode_tunnel.
Date: Fri, 15 Jun 2012 07:46:36 +0200 [thread overview]
Message-ID: <20120615054636.GW27795@secunet.com> (raw)
In-Reply-To: <766b5544-ace1-44b5-ac14-14d0e7702b4f@tahiti.vyatta.com>
On Thu, Jun 14, 2012 at 07:44:11PM -0700, Saurabh Mohan wrote:
> > +
> > static int xfrm4_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
> > {
> > + struct xfrm_tunnel *handler;
> > int err = -EINVAL;
> >
> > if (XFRM_MODE_SKB_CB(skb)->protocol != IPPROTO_IPIP)
> > @@ -74,6 +142,10 @@ static int xfrm4_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
> > if (!pskb_may_pull(skb, sizeof(struct iphdr)))
> > goto out;
> >
> > + /* The handlers do not consume the skb. */
> > + for_each_input_rcu(rcv_notify_handlers, handler)
> > + handler->handler(skb);
>
> I'm not sure if this is the right place to add your handler.
> My understanding of an IPsec tunnel device would be to
> receive the packet first and then do IPsec processing.
> Here it happens the other way arround.
>
> @SM: The intention is to get the packet post decrypt and post-esp-decap. Just like a GRE tunnel the rx-counters account for the payload and NOT the GRE header.
>
Well, I think a virtual interface should behave similar
to physical interfaces. And a physical interface has to
receive the packet before it can be processed.
I looked into the old klips IPsec implementation.
They had virtual IPsec interfaces and they did it like
that, update the statistics and the input device first
and process the packet then.
next prev parent reply other threads:[~2012-06-15 5:46 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-08 17:32 [net-next PATCH 01/02] net/ipv4: VTI support rx-path hook in xfrm4_mode_tunnel Saurabh
2012-06-14 9:25 ` Steffen Klassert
2012-06-15 2:44 ` Saurabh Mohan
2012-06-15 5:46 ` Steffen Klassert [this message]
-- strict thread matches above, loose matches on Subject: below --
2012-06-28 1:02 Saurabh
2012-06-29 0:52 Saurabh
2012-06-29 1:00 ` David Miller
2012-06-29 1:29 Saurabh
2012-07-17 19:44 Saurabh
2012-07-17 20:36 ` Joe Perches
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120615054636.GW27795@secunet.com \
--to=steffen.klassert@secunet$(echo .)com \
--cc=netdev@vger$(echo .)kernel.org \
--cc=saurabh.mohan@vyatta$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox