Sebastien Roy wrote: > On Mon, 2009-08-03 at 12:03 -0400, Sebastien Roy wrote: >> On Sat, 2009-08-01 at 09:44 -0400, James Carlson wrote: >>> Sebastien Roy wrote: >>> >>> snoop_ether.c: >>> >>> 1704: what happens with IPsec or labeling? >> There are no IPsec headers here. Promiscuous streams get their packets >> from GLDv3. On receive, IPsec processing occurs before packets are >> passed up to GLDv3. On transmit IPsec processing occurs after packets >> have been send down by GLDv3. >> >> ACCEPT the part regarding labeling, it looks like that won't work >> indeed. I'll fix this code to skip any extension headers (not just >> those associated with TX labels). > > Revising this: There's nothing to do here. The iptun module doesn't > pass up anything like that. As with IPsec processing, label insertion > and removal happens "below" the point where GLDv3 passes packets up to > promiscuous clients. > > As the comment states, the only IPv6 packets we'll ever see from iptun > are either without extension headers, or with a single destination > options header containing an encapsulation limit.
So, if a packet looks like this on the wire: <outer-IPv6><hop-by-hop><inner-IPv6><TCP> We'll actually see this in snoop? <outer-IPv6><inner-IPv6><TCP> That's not quite what I was expected. I didn't think it'd remove bytes from the middle of the packet. -- James Carlson 42.703N 71.076W <carlsonj at workingcode.com>
