Herbert Xu wrote:

On Thu, Mar 18, 2004 at 05:32:23PM +0100, Patrick McHardy wrote:

quoted

@@ -635,7 +636,6 @@

#ifdef CONFIG_IP_ROUTE_FWMARK
		fl.nl_u.ip4_u.fwmark = (*pskb)->nfmark;
#endif
-		fl.proto = iph->protocol;

Better call __ip_route_output_key rather than not setting proto because
you'll need proto in xfrm_lookup.

quoted

		if (ip_route_output_key(&rt, &fl) != 0)
			return -1;

quoted

@@ -661,6 +661,20 @@

	
	if ((*pskb)->dst->error)
		return -1;
+
+#ifdef CONFIG_XFRM
+	if (!(IPCB(*pskb)->flags & IPSKB_XFRM_TRANSFORMED)) {
+		struct xfrm_policy_afinfo *afinfo;
+
+		afinfo = xfrm_policy_get_afinfo(AF_INET);
+		if (afinfo != NULL) {
+			afinfo->decode_session(*pskb, &fl);
+			xfrm_policy_put_afinfo(afinfo);
+			if (xfrm_lookup(&(*pskb)->dst, &fl, (*pskb)->sk, 0) != 0)
+				return -1;
+		}
+	}
+#endif

If we can reinject transport packets then we can move this back into
the if clause.

I don't understand the relationship to transport mode packets. I used an
explicit call to xfrm_lookup so packets with non-local source are also
handled. We also need to protect against loops, packets which are
already transformed should not be transformed again.

Regards
Patrick