> Venkat, > > With xfrm labeling, the external packets are always going to > be protocol > ESP or AH, and we can't connection track the inner protocols. So,
Are you sure? This doesn't compare to what my limited testing seems to have turned up (normal netfiltering of inner protos followed by xfrms, interspersed with their own netfiltering). > external labeling when using xfrm labeling seems somewhat > superfluous, > except for the case of setting a label based on the interface > the packets > arrived on. Correct? If so, all you can realistically do > with the flow > permissions is bind the ESP/AH packets to types of interfaces > (which does > seem useful for some folk). - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
