> For 2.2.x, we had planned to get away from all this silly virtual
> device stuff and route stealing and routing table mucking about.
This plan was CORRECT.
> Later he concludes that our processing should be done before
> ip_build_xmit(), which echoes some of our previous instincts. He also
> suggests that our eroute lookup should happen when the dst stuff does
> now, and suggests that we should store a per-eroute pmtu.
It is not my suggestion. It is evident that ip_build_xmit is useless
for IPsec. Just look at it, factor out fragmentation code and you will see,
that it reduces to several lines of the dumbest code.
> "Ah, this sounds like you are encapsulating packets in another
> protocol before sending them, like ip_gre.c for example.
Exactly. If you use virtual devices, you will have whole
bucket of silly problems. Certainly, the way to workaround all them exists,
look at another virtual devices (teql, shaper). If you will be enough
accurate you will stop to see all those miracles, which you said above 8)
But it is way to nowhere. Do not try to invent the wheel, just follow
specs. All the construction is described in details in IPsec docs, actually
we have nothing to add to them without reducing functionality.
Well, take as example any other IPsec implementation.
Alexey
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/