Re: [Ipsec] Issue on input process of Linux native IPsec

[David Dillow]

On Wed, 2004-12-22 at 22:29 -0800, Park Lee wrote:
> Thanks.
> But, After a packet was received, It has already been
> processed by xfrm4_rcv(), xfrm4_rcv_encap(),
> ah_input(), esp_input(),etc. so, I think that there is
> no need to search(or created) a bundle everytime a
> packet is recieved, since it has already been
> processed. Am I right?

Are you sure you're not seeing the creation of a reply packet? Unless
you're testing with UDP and a listening socket on the receiver, you're
going to get a response packet if the incoming packet makes it through
the iptables rules. You were testing with ICMP echo requests (ping), if
I recall.

I think either you're basing your idea of the packet flow on printk()'s,
or I'm just too tired and missing where xfrm_lookup() gets called on the
rx path... (yes, sk can be NULL there, but I was wrong about it being
called for Rx'd packets, I think).

However, if your NIC driver does NAPI, you can see an xfrm_lookup() on
the reply packet when the driver calls netif_receive_skb() -- this bit
me recently...
-- 
David Dillow <dave@xxxxxxxxxxxxxx>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/