On Thu, Feb 17, 2005 at 07:22:23AM +0100, Patrick McHardy wrote:

#   Tunnel mode packets are rerouted if the tunnel destination
#   address is different from the original destination address,
#   otherwise the old route is used. This is inconsistent, the
#   old route might have been selected for a given output device
#   or using routing by tos/fwmark. Always choose a new route
#   in tunnel mode.

I understand the inconsistency and agree that it should be fixed.
However, I think the way you did it has created a new inconsistency.

Tunnel mode SAs are not always used to carry subnets.  It can also
be used for host-to-host configurations where the aim is to protect
the IP header.  Therefore it would be inconsistent to look up a
new route for host-to-host tunnel mode SAs.

Perhaps we can simply expand the check to include local as well,
i.e.,

	if (local != fl->fl4_src || remote != fl->fl4_dst) {

What do you think?

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} [off-list ref]
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt