I hope someone else here can now fill in some useful details for you, given
that you're using 2.6.6
Regards,
Antony.
I'm not an expert, but AFAIK and because it works using this way i think that in 2.6 the process is very similar.
In 2.6 ipsec imlementation there is no Virtual interface, like ipsec0 or everything else, but the packets both encrypted and unencrypted come from the same interface , in expample eth0. They traverse netfilter two times, like in 2.4 , they get the first time to the INPUT chain, if accepted they traverse netfilter again in the normal process.
The reason i mark my packets at the STEP 1 when they come in encrypted is because i needed a way to identify packets that arrived ENCRYPTED, get decrypted and acceppted by ipsec and that are traversing the netfilter for the second time.
This way i can be sure that i handle only packets that have been accepted by ipsec and i can feel good :)
for example, i use ipsec fot my WIFI lan and i have this kind of rules:
1) MANGLE/PREROUTING for packets arriving in esp protocol
iptables -t mangle -a PREROUTING -s $Y_WIFI_HOSTS -i $MY_WIFI_INTERFACE -p esp -j MARK --set-mark 10
2) INPUT for packets arriving in esp protocol
iptables -A INPUT -p esp -j ACCEPT
now IPSEC will authenticate and eventually accept the packets
3) INPUT and FORWARD for previously athenticated packets
iptables -A FORWARD -m --mark 10 -j MY_FORWARD_CHAIN iptables -A INPUT -m --mark 10 -j MY_INPUT_CHAIN
bye
-- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/