* [IPSEC] Set TTL from route
@ 2004-08-24 10:56 Herbert Xu
2004-08-24 18:47 ` David S. Miller
0 siblings, 1 reply; 3+ messages in thread
From: Herbert Xu @ 2004-08-24 10:56 UTC (permalink / raw)
To: David S. Miller, netdev
[-- Attachment #1: Type: text/plain, Size: 890 bytes --]
Hi Dave:
Here is the promised patch that sets the TTL from the route parameter.
I decided against adding an option to inherit the TTL like IPIP/GRE
as I think that it doesn't really make sense with IPsec. But it
can be easily added later if someone needs it.
This isn't completely right when nested tunnels are involved. The
TTL for intervening tunnels should be set from the routes to the
intervening nodes. But fixing that involves using information that
isn't currently in the bundle. I'll revisit this once the MTU stuff
is fixed since that'll also involving adding the intervening routes
to the bundle.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
[-- Attachment #2: p --]
[-- Type: text/plain, Size: 986 bytes --]
===== net/ipv4/xfrm4_output.c 1.4 vs edited =====
--- 1.4/net/ipv4/xfrm4_output.c 2004-08-20 20:39:43 +10:00
+++ edited/net/ipv4/xfrm4_output.c 2004-08-24 20:03:26 +10:00
@@ -58,8 +58,7 @@
if (!top_iph->frag_off)
__ip_select_ident(top_iph, dst, 0);
- /* TTL disclosed */
- top_iph->ttl = iph->ttl;
+ top_iph->ttl = dst_path_metric(dst, RTAX_HOPLIMIT);
top_iph->saddr = x->props.saddr.a4;
top_iph->daddr = x->id.daddr.a4;
===== net/ipv6/xfrm6_output.c 1.4 vs edited =====
--- 1.4/net/ipv6/xfrm6_output.c 2004-08-20 20:39:43 +10:00
+++ edited/net/ipv6/xfrm6_output.c 2004-08-24 20:52:19 +10:00
@@ -64,7 +64,7 @@
top_iph->flow_lbl[1] = iph->flow_lbl[1];
top_iph->flow_lbl[2] = iph->flow_lbl[2];
top_iph->nexthdr = IPPROTO_IPV6;
- top_iph->hop_limit = iph->hop_limit;
+ top_iph->hop_limit = dst_path_metric(dst, RTAX_HOPLIMIT);
ipv6_addr_copy(&top_iph->saddr, (struct in6_addr *)&x->props.saddr);
ipv6_addr_copy(&top_iph->daddr, (struct in6_addr *)&x->id.daddr);
}
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [IPSEC] Set TTL from route
2004-08-24 10:56 [IPSEC] Set TTL from route Herbert Xu
@ 2004-08-24 18:47 ` David S. Miller
2004-08-24 21:35 ` Herbert Xu
0 siblings, 1 reply; 3+ messages in thread
From: David S. Miller @ 2004-08-24 18:47 UTC (permalink / raw)
To: Herbert Xu; +Cc: netdev, kaber
On Tue, 24 Aug 2004 20:56:41 +1000
Herbert Xu <herbert@gondor.apana.org.au> wrote:
> Here is the promised patch that sets the TTL from the route parameter.
> I decided against adding an option to inherit the TTL like IPIP/GRE
> as I think that it doesn't really make sense with IPsec. But it
> can be easily added later if someone needs it.
I think we want to add this at some point.
> This isn't completely right when nested tunnels are involved. The
> TTL for intervening tunnels should be set from the routes to the
> intervening nodes. But fixing that involves using information that
> isn't currently in the bundle. I'll revisit this once the MTU stuff
> is fixed since that'll also involving adding the intervening routes
> to the bundle.
Looks great, patch applied.
Patrick McHardy was thinking of looking into the MTU issues
after he finished up some netfilter IPSEC patches he's been
working on. Perhaps you can work together with him :)
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-08-24 21:35 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-08-24 10:56 [IPSEC] Set TTL from route Herbert Xu
2004-08-24 18:47 ` David S. Miller
2004-08-24 21:35 ` Herbert Xu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).