From: Steffen Klassert <steffen.klassert@secunet.com>
To: Christophe Gouault <christophe.gouault@6wind.com>
Cc: netdev@vger.kernel.org, Saurabh Mohan <saurabh.mohan@vyatta.com>
Subject: Re: [PATCH RFC v2 0/13] vti4: prepare namespace and interfamily support.
Date: Tue, 14 Jan 2014 08:51:38 +0100 [thread overview]
Message-ID: <20140114075138.GG31491@secunet.com> (raw)
In-Reply-To: <52CC2714.5080600@6wind.com>
On Tue, Jan 07, 2014 at 05:11:00PM +0100, Christophe Gouault wrote:
>
> Sorry for my late comments, I had to delay my tests due to Christmas and
> New Year's celebrations.
Sorry for the delay on my side, I had to setup a testcase
for vti with namespaces first.
>
> I have a few comments about your proposed patches:
>
> In input, the vti tunnel processing does not follow the usual tunnel
> processing. Conventionally, the packets are first decapsulated, then
> only the skbuff interface is changed to the tunnel interface. In the vti
> code, the interface is changed before IPsec decryption, hence before
> decapsulation.
>
> It results in a configuration asymmetry when we later support cross
> netns: the outer SAs and SPs must be defined in the outer netns, while
> the inner SAs and SPs must be defined in the inner netns.
You are absolutely right here. I'll change this to do the namespace
transition after the decapsulation in the vti_rcv_cb() callback.
Then in and outbound states/policies must be defined in the outer
namespace. I'll send another RFC version of that patchset during the
next days.
Thanks for pointing this out!
prev parent reply other threads:[~2014-01-14 7:51 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-16 9:18 [PATCH RFC v2 0/13] vti4: prepare namespace and interfamily support Steffen Klassert
2013-12-16 9:19 ` [PATCH RFC v2 01/13] xfrm4: Add IPsec protocol multiplexer Steffen Klassert
2013-12-16 9:19 ` [PATCH RFC v2 02/13] esp4: Use the IPsec protocol multiplexer API Steffen Klassert
2013-12-16 9:20 ` [PATCH RFC v2 03/13] esp4: Export esp4_err Steffen Klassert
2013-12-16 9:21 ` [PATCH RFC v2 04/13] ah4: Use the IPsec protocol multiplexer API Steffen Klassert
2013-12-16 9:21 ` [PATCH RFC v2 05/13] ah4: Export ah4_err Steffen Klassert
2013-12-16 9:22 ` [PATCH RFC v2 06/13] ipcomp4: Use the IPsec protocol multiplexer API Steffen Klassert
2013-12-16 9:23 ` [PATCH RFC v2 07/13] ipcomp4: Export ipcomp4_err Steffen Klassert
2013-12-16 9:23 ` [PATCH RFC v2 08/13] xfrm: Add xfrm_tunnel_skb_cb to the skb common buffer Steffen Klassert
2013-12-16 12:54 ` Nicolas Dichtel
2013-12-16 13:02 ` Steffen Klassert
2013-12-16 9:24 ` [PATCH RFC v2 09/13] ip_tunnel: Make vti work with i_key set Steffen Klassert
2013-12-16 9:25 ` [PATCH RFC v2 10/13] vti: Update the ipv4 side to use it's own receive hook Steffen Klassert
2013-12-16 9:26 ` [PATCH RFC v2 11/13] xfrm4: Remove xfrm_tunnel_notifier Steffen Klassert
2013-12-16 9:27 ` [PATCH RFC v2 12/13] vti4: Use the on xfrm_lookup returned dst_entry directly Steffen Klassert
2013-12-16 9:28 ` [PATCH RFC v2 13/13] vti4: Support inter address family tunneling Steffen Klassert
2014-01-07 16:11 ` [PATCH RFC v2 0/13] vti4: prepare namespace and interfamily support Christophe Gouault
2014-01-07 19:45 ` Christophe Gouault
2014-01-14 7:51 ` Steffen Klassert [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140114075138.GG31491@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=christophe.gouault@6wind.com \
--cc=netdev@vger.kernel.org \
--cc=saurabh.mohan@vyatta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).