On Fri, Jan 23, 2004 at 11:42:05AM -0800, David S. Miller wrote: > On Fri, 23 Jan 2004 17:03:19 +0100 > Nico Schottelius <nico-linux-net@schottelius.org> wrote: > > > Is that right? > > > > This looks for me like bug in netfilter... > > Netfilter first sees the pre-encrypted SSH TCP packets before they are > encapsulated in ESP, and thus your rules say to drop those. > > That's just how things work currently. JFYI: We're currently discussing how to proceed with this issue on netfilter-devel (Thread started at http://lists.netfilter.org/pipermail/netfilter-devel/2004-January/013879.html) -- - Harald Welte <laforge@netfilter.org> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
Attachment:
signature.asc
Description: Digital signature
