On Mon, 15 Dec 2003, Antony Stone wrote: > On Sunday 14 December 2003 10:30 pm, Peter Hoeg wrote: > > > The REAL problem is since I need to allow connections from the wireless LAN > > segment to go onto the internet and it seems like the connections only hit > > the FORWARD chain AFTER the kernel has done all its magic with unpacking > > the encrypted packages. What I would like to do is something like: > I have used IPtables + FreeS/WAN a fair amount, and I created a diagram some > time ago which showed the (surprisingly complex) route packets take through > the system when you have such a combination. FreeS/WAN is different than the in-kernel IPsec of 2.6 > 2. The packet gets processed by the Klips kernel-level IPsec module, gets > decrypted, and appears on the ipsec0 virtual interface. The in-kernel ipsec does not have an ipsec0 virtual interface, that is where the problem come from - I don't see a way yet to destinguish decapsulated ipsec traffic from eth0 to eth1 from raw traffic between the two interfaces. c'ya sven -- The Internet treats censorship as a routing problem, and routes around it. (John Gilmore on http://www.cygnus.com/~gnu/)
