Hi Rick, > Since ESP packets that reach the mangle INPUT chain are destined for a > local process, why not unencapsulate them just before that point? It > might still be nice to have an indication that this was once an ESP > packet for filtering, but that could be done by setting a mark in the > mangle PREROUTING chain. The ESP itself will presumably be for a security association (SA) which terminates on the machine, but it could easily be for some tunnel, in which case the unencrypted packet should be sent through FORWARD instead of INPUT. Logically, it makes sense to me that the packet should pass through the whole of Netfilter _again_ after it's been decapsulated, similarly to what now happens with FreeS/WAN (but presumably without an ipsec0 interface being involved). Or, maybe it should be decapsulated before routing (and hence visible unencrypted in FORWARD, INPUT and OUTPUT). Cheers, Chris. -- ___ __ _ / __// / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer | / (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk | \ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |
