On Wed, Jan 25, 2006 at 10:25:27AM +0100, Patrick McHardy wrote:

I don't like adding this special behaviour for NAT, people need
to adjust their rulesets for filtering etc. anyway. We could stop
rerouting packets in between transforms (when both dst->xfrm and
IPSKB_XFRM_TRANSFORMED are set), but this is inconsistent with what
happens on input, when a packet is DNATed in PRE_ROUTING it does

Actually we can never achieve perfect symmetry because the two cases
are fundamentally different.  On outbound we start with a template
which guides us all the way to the end.  On inbound we (currently)
don't determine the policy until the very end.

affect the SA lookup. So I think I'd prefer handling this case in
xfrm[46]_output_finish, but I need to think about it a bit more.

Having said that I'm certainly not averse to such a solution.  The
only thing I would like to see is for it to be flexible enough so
that you always get at least one chance to SNAT before the xfrm_policy
is completely pinned down.  This should leave the user with enough
flexibility to do whatever they wish.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} [off-list ref]
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt