On Tue, 17 Feb 2009, Joe Pruett wrote:
i have to now beg forgivness. i think i ended up doing some of my testing on a rhel/centos 4 box which is only 2.6.9 with ipsec backported. now that i correctly tested on my version 5 box, everything is working as i expect. follow that with a few minutes of code reading and i convinced myself that host2host just wasn't doing what i wanted. i'll go crawl back under the rocks now :-).
and i forgot to add that the rhel/centos 4 kernel does not reprocess the decrypted/decapsulated packets. once you accept the ah/esp packet, it doesn't go through the iptables again. this is ok for my scenario where i want my central machine to be able to see inside the firewall of the remote systems. i just don't want the remotes to be able to see back beyond what the normal firewall allows. i've already learned about using packet marks to allow my net2net traffic to bypass the firewalls and was expecting to need the same for host2host and when the first box i tried didn't need that, i started digging and got myself turned around. so at least i'm not a total crackpot.
-- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
