On Fri, Jun 27, 2003 at 02:24:50AM -0700, David S. Miller wrote: > > Hmmm, maybe you don't understand how it works. When IPCOMP's > compression isn't deemed "worthwhile", we just end up with > a plain IP/IP tunnel. I think I'm not getting my point across. IPIP tunnels are fine because they have a network interface so it's trivial to add a firewall rule to restrict incoming inner source address. AH/ESP/IPCOMP tunnels share the same interface as normal packets. Thus it is not possible to distinguish between them unless the firewall has access to security path information. At the moment I don't think the firewall has access to security path information. So either we need to provide that information to netfilter, or (preferably) the policy check routine should be strengthened so that only inner source addresses specified by matching policies are allowed in AH/ESP/IPCOMP tunnels. Cheers, -- Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ ) Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
