lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Jan 2009 11:14:04 +0200 From: Timo Teräs <timo.teras@....fi> To: netdev@...r.kernel.org, Herbert Xu <herbert@...dor.apana.org.au> CC: David Miller <davem@...emloft.net> Subject: NBMA GRE over IPsec behind NAT Hi, I sent a mail earlier about this subject, see: http://marc.info/?l=linux-netdev&m=122232910618099&w=4 I've been thinking more about this and reading the code trying to figure out how to fix this. One idea for the fix would be: 1. Include the NAT Original Address in NDA_LLADDR (this way we don't have to modify struct neighbour) 2. Add new Neighbor Cache Entry Flag (NTF_NATOA?) to specify if the NAT-OA is present 3. Modify neighbor cache to cope with the new flag and address 4. Add NAT-OA field for ipv4 in struct flowi 5. ipv4/xfrm4_policy.c: __xfrm4_find_bundle() to compare NAT-OA if it is specified in struct flowi. 6. Possibly ipv4/xfrm4_policy.c: _decode_session4() would extract the NAT-OA to struct flowi from skb->dst->neighbour. Does this sound something that might work? Would it be an acceptable approach? - Timo -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists