From: Ludo Stellingwerff <ludo@protactive.nl>
To: netdev@oss.sgi.com
Subject: Re: [22/*] [NETFILTER] Use correct IPsec MTU in TCPMSS
Date: Sun, 20 Mar 2005 19:11:26 +0100 [thread overview]
Message-ID: <423DBCCE.8090006@protactive.nl> (raw)
In-Reply-To: <423DB7B7.1070604@trash.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Patrick McHardy wrote:
| Lennert Buytenhek wrote:
|> - I have no idea beforehand what the remote nexthop is going to
|> be. A1 might ordinarily send its traffic for site B to B1, but
|> if B1 fails it'll want to start using B2 instead, which would be
|> prevented by the SPD rule hardcoding the remote tunnel endpoint
|> to B1.
|>
|
| Hmm .. sounds like using the routing realm in the selector would
| solve this while avoiding the GRE overhead.
|
| Regards Patrick
|
I'm hoping that using the fwmark as a selector can provide a workable
solution for both mine and Lennert's problem, any many more related
situations. Netfilter has a (almost) complete range of selectors.
e.g. Lennerts problem could be solved using a combination of the
"realm" match of iptables, in combination with a fwmark for SPD matching.
Greetings,
Ludo.
PS. On a side note: Wouldn't it be possible to have a netfilter target
stating that an transformation should be done?
- --
Ludo Stellingwerff
V&S B.V. The Netherlands
ProTactive firewall solution.
Tel: +31 172 416116
Fax: +31 172 416124
site: www.protactive.nl
demo: http://www.protactive.nl:81/netview.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCPbzNOF3sCpZ+AJgRApxBAJ9akLfP1onp+WKRgmJ1YDImkrXLHwCgkPS4
GvwO1PoUwkJnVTOjeaf/ZEw=
=OebA
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2005-03-20 18:11 UTC|newest]
Thread overview: 114+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-14 22:10 [1/4] [IPSEC] Merge xfrm[46]_bundle/stale_bundle Herbert Xu
2005-02-14 22:12 ` [2/4] [IPSEC] Add xfrm_state_mtu Herbert Xu
2005-02-14 22:14 ` [3/4] [IPSEC] Add route element to xfrm_dst Herbert Xu
2005-02-14 22:16 ` [4/4] [IPSEC] Store MTU at each xfrm_dst Herbert Xu
2005-02-15 15:53 ` James Morris
2005-02-15 20:31 ` Herbert Xu
2005-02-16 10:37 ` [5/*] [IPSEC] Use dst_mtu in xfrm[46]_output Herbert Xu
2005-02-16 11:08 ` [6/*] [IPSEC] Fix xfrm[46]_update_pmtu to update top dst Herbert Xu
2005-02-16 11:38 ` [7/*] [IPSEC] Get metrics for xfrm_dst from " Herbert Xu
2005-03-07 5:47 ` David S. Miller
2005-03-07 10:41 ` Herbert Xu
2005-03-07 5:35 ` [6/*] [IPSEC] Fix xfrm[46]_update_pmtu to update " David S. Miller
2005-03-07 10:39 ` Herbert Xu
2005-03-07 5:33 ` [5/*] [IPSEC] Use dst_mtu in xfrm[46]_output David S. Miller
2005-03-07 11:45 ` [10/*] [TCP] Get rid of dst_ptmu/ext2_header_len Herbert Xu
2005-03-07 17:33 ` David S. Miller
2005-03-07 5:32 ` [4/4] [IPSEC] Store MTU at each xfrm_dst David S. Miller
2005-03-07 10:35 ` [9/*] [IPSEC] Check dst validity harder in xfrm_bundle_ok Herbert Xu
2005-03-07 17:32 ` David S. Miller
2005-03-08 10:27 ` [11/*] [NET] Move dst_release out of dst->ops->check Herbert Xu
2005-03-08 12:50 ` YOSHIFUJI Hideaki / 吉藤英明
2005-03-11 2:17 ` David S. Miller
2005-03-14 10:26 ` [12/*] [IPSEC] Handle local_df in IPv4 Herbert Xu
2005-03-14 10:53 ` [13/*] [IPV4] Fix room calculation in icmp_send Herbert Xu
2005-03-14 11:10 ` [14/*] [IPV6] Reload skb->dst after xfrm6_route_forward Herbert Xu
2005-03-15 5:27 ` David S. Miller
2005-03-15 9:19 ` [15/*] [INET] Fix IPsec calculation in ip_append_data/ip6_append_data Herbert Xu
2005-03-15 9:58 ` [16/*] [INET] Take IPsec overhead into account in tunnels Herbert Xu
2005-03-15 10:05 ` [17/*] [NET] Replace dst_pmtu with dst_mtu Herbert Xu
2005-03-15 18:24 ` David S. Miller
2005-03-15 19:02 ` Patrick McHardy
2005-03-15 20:40 ` Replace send_unreach with icmp_send Herbert Xu
2005-03-15 20:48 ` Patrick McHardy
2005-03-16 10:51 ` [IPV4] Make ipt_REJECT use icmp_send again Herbert Xu
2005-03-16 19:00 ` Patrick McHardy
2005-03-16 22:44 ` David S. Miller
2005-03-17 10:51 ` [IPV4] Send TCP reset through dst_output in ipt_REJECT Herbert Xu
2005-03-17 18:06 ` David S. Miller
2005-03-15 20:31 ` [17/*] [NET] Replace dst_pmtu with dst_mtu Herbert Xu
2005-03-15 10:20 ` [16/*] [INET] Take IPsec overhead into account in tunnels Lennert Buytenhek
2005-03-15 10:27 ` Herbert Xu
2005-03-15 18:20 ` David S. Miller
2005-03-18 9:03 ` [21/*] [IPv4] Fix MTU check in ipmr_queue_xmit Herbert Xu
2005-03-18 9:11 ` [22/*] [NETFILTER] Use correct IPsec MTU in TCPMSS Herbert Xu
2005-03-18 9:19 ` [23/*] [IPV4] Kill remaining unnecessary uses of dst_pmtu Herbert Xu
2005-03-18 10:07 ` [24/*] [IPSEC] Get ttl from child instead of path Herbert Xu
2005-03-18 10:11 ` [25/*] [NET] Kill unnecessary uses of dst_path_metric Herbert Xu
2005-03-18 11:06 ` [26/*] [NET] Kill dst_pmtu/dst_path_metric Herbert Xu
2005-03-18 11:28 ` [27/*] [NET] Make dst_allfrag use dst instead of dst->path Herbert Xu
2005-03-18 18:47 ` David S. Miller
2005-03-18 18:46 ` [26/*] [NET] Kill dst_pmtu/dst_path_metric David S. Miller
2005-03-18 18:44 ` [25/*] [NET] Kill unnecessary uses of dst_path_metric David S. Miller
2005-03-18 18:43 ` [24/*] [IPSEC] Get ttl from child instead of path David S. Miller
2005-03-18 18:41 ` [23/*] [IPV4] Kill remaining unnecessary uses of dst_pmtu David S. Miller
2005-03-18 18:40 ` [22/*] [NETFILTER] Use correct IPsec MTU in TCPMSS David S. Miller
2005-03-20 15:46 ` Patrick McHardy
2005-03-20 16:32 ` Ludo Stellingwerff
2005-03-20 17:17 ` Lennert Buytenhek
2005-03-20 17:49 ` Patrick McHardy
2005-03-20 18:11 ` Ludo Stellingwerff [this message]
2005-03-20 18:22 ` Patrick McHardy
2005-03-20 18:43 ` jamal
2005-03-20 19:10 ` Patrick McHardy
2005-03-30 9:49 ` Extending xfrm_selector (Was: [22/*] [NETFILTER] Use correct IPsec MTU in TCPMSS) Herbert Xu
2005-03-23 3:49 ` [22/*] [NETFILTER] Use correct IPsec MTU in TCPMSS David S. Miller
2005-03-23 4:03 ` Patrick McHardy
2005-03-24 5:05 ` Netfilter+IPsec Patrick McHardy
2005-03-24 5:43 ` Netfilter+IPsec David S. Miller
2005-03-25 2:53 ` Netfilter+IPsec Herbert Xu
2005-03-25 5:10 ` Netfilter+IPsec Patrick McHardy
2005-03-23 9:24 ` [22/*] [NETFILTER] Use correct IPsec MTU in TCPMSS Herbert Xu
2005-03-18 18:39 ` [21/*] [IPv4] Fix MTU check in ipmr_queue_xmit David S. Miller
2005-03-15 18:18 ` [15/*] [INET] Fix IPsec calculation in ip_append_data/ip6_append_data David S. Miller
2005-03-16 11:31 ` Herbert Xu
2005-03-16 22:02 ` David S. Miller
2005-03-21 16:14 ` Mika Penttilä
2005-03-21 20:28 ` Herbert Xu
2005-03-21 21:29 ` Mika Penttilä
2005-03-21 22:04 ` Herbert Xu
2005-03-15 5:26 ` [13/*] [IPV4] Fix room calculation in icmp_send David S. Miller
2005-03-15 5:25 ` [12/*] [IPSEC] Handle local_df in IPv4 David S. Miller
2005-03-15 18:25 ` YOSHIFUJI Hideaki / 吉藤英明
2005-03-15 18:28 ` YOSHIFUJI Hideaki / 吉藤英明
2005-03-28 20:10 ` [4/4] [IPSEC] Store MTU at each xfrm_dst Patrick McHardy
2005-03-28 23:30 ` [IPSEC] Move xfrm_flush_bundles into xfrm_state GC Herbert Xu
2005-03-31 0:10 ` Patrick McHardy
2005-04-01 5:21 ` David S. Miller
2005-03-28 23:39 ` Checking SPI in xfrm_state_find Herbert Xu
2005-03-31 0:13 ` Patrick McHardy
2005-03-31 0:46 ` Herbert Xu
2005-04-01 5:23 ` David S. Miller
2005-04-02 0:49 ` [IPSEC]: Kill nested read lock by deleting xfrm_init_tempsel Herbert Xu
2005-04-02 1:20 ` David S. Miller
2005-04-02 2:09 ` Herbert Xu
2005-04-03 16:48 ` Patrick McHardy
2005-04-05 10:39 ` Herbert Xu
2005-04-05 20:01 ` Patrick McHardy
2005-04-06 2:21 ` Herbert Xu
2005-04-21 23:35 ` David S. Miller
2005-04-21 23:52 ` Herbert Xu
2005-04-21 23:53 ` Patrick McHardy
2005-04-22 3:13 ` David S. Miller
2005-04-03 17:00 ` Checking SPI in xfrm_state_find Patrick McHardy
2005-02-15 8:10 ` [3/4] [IPSEC] Add route element to xfrm_dst Mika Penttilä
2005-02-15 9:53 ` Herbert Xu
2005-02-15 10:22 ` Mika Penttilä
2005-03-07 5:28 ` David S. Miller
2005-03-07 10:02 ` Herbert Xu
2005-03-07 10:16 ` [IPSEC] Kill redundan dst_release check in xfrm_dst_destroy Herbert Xu
2005-03-07 17:35 ` David S. Miller
2005-03-14 11:52 ` [3/4] [IPSEC] Add route element to xfrm_dst Patrick McHardy
2005-03-14 20:32 ` Herbert Xu
2005-03-15 19:05 ` Patrick McHardy
2005-03-07 5:23 ` [2/4] [IPSEC] Add xfrm_state_mtu David S. Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=423DBCCE.8090006@protactive.nl \
--to=ludo@protactive.nl \
--cc=netdev@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.