On Mon, 2009-08-03 at 12:03 -0400, Sebastien Roy wrote: > On Sat, 2009-08-01 at 09:44 -0400, James Carlson wrote: > > Sebastien Roy wrote: > > > > snoop_ether.c: > > > > 1704: what happens with IPsec or labeling? > > There are no IPsec headers here. Promiscuous streams get their packets > from GLDv3. On receive, IPsec processing occurs before packets are > passed up to GLDv3. On transmit IPsec processing occurs after packets > have been send down by GLDv3. > > ACCEPT the part regarding labeling, it looks like that won't work > indeed. I'll fix this code to skip any extension headers (not just > those associated with TX labels).
Revising this: There's nothing to do here. The iptun module doesn't pass up anything like that. As with IPsec processing, label insertion and removal happens "below" the point where GLDv3 passes packets up to promiscuous clients. As the comment states, the only IPv6 packets we'll ever see from iptun are either without extension headers, or with a single destination options header containing an encapsulation limit. -Seb
