On Thu, Feb 17, 2005 at 07:15:55PM +0100, Patrick McHardy wrote:

quoted

Perhaps we can simply expand the check to include local as well,
i.e.,

if (local != fl->fl4_src || remote != fl->fl4_dst) {

What do you think?

I don't think this solves the inconsistency. By reuseing routes in tunnel
mode we allow routing by different criteria when the inner packet is headed
for the remote gateway. Your suggestion limits this a bit further, but we
can still have a situation where all packets going through a tunnel take
one path, except when the inner packet is heading for the remote gateway
itself.

That's right.  However, you should also look at it this way.  We start
with a policy with a transport mode SA.  In order to protect the IP
header we change it to use a tunnel mode SA with a host-to-host selector.
With your patch this will change the route that the packet uses.
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} [off-list ref]
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt