hi,
i had posted to the lartc (no presponse) with a question that is
currently under discussion for 2.6 kernels ...
from the kptd shema (below) can someone point out where ispec
encrytion/decryption takes place in the diagram (2.4 kernels)? from
other posts, it appears that the meta data for the packet is maintained,
i.e., if we mark the eth0/esp packet in prerouting, that mark stays in
ipsec0 packet?
many thanks,
charles
Network
-----------+-----------
|
+-------+------+
| mangle |
| PREROUTING | <- MARK REWRITE
+-------+------+
|
+-------+------+
| nat |
| PREROUTING | <- DEST REWRITE
+-------+------+
|
+-------+------+
| ipchains |
| FILTER |
+-------+------+
|
+-------+------+
| QOS |
| INGRESS | <- controlled by tc
+-------+------+
|
packet is for +-------+------+ packet is for
this address | INPUT | another address
+--------------+ ROUTING +---------------+
| | + PRDB | |
| +--------------+ |
+-------+------+ |
| filter | |
| INPUT | |
+-------+------+ |
| |
+-------+------+ |
| Local | |
| Process | |
+-------+------+ |
| |
+-------+------+ |
| OUTPUT | +-------+-------+
| ROUTING | | filter |
+-------+------+ | FORWARD |
| +-------+-------+
+-------+------+ |
| mangle | |
| OUTPUT | MARK REWRITE |
+-------+------+ |
| |
+-------+------+ |
| nat | |
| OUTPUT | DEST REWRITE |
+-------+------+ |
| |
+-------+------+ |
| filter | |
| OUTPUT | |
+-------+------+ |
| |
+----------------+ +--------------------+
| |
+--+-------+---+
| ipchains |
| FILTER |
+-------+------+
|
+-------+------+
| nat |
| POSTROUTING | SOURCE REWRITE
+-------+------+
|
+-------+------+
| QOS |
| EGRESS | <- controlled by tc
+-------+------+
|
-----------+-----------
Network
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
