On Sun, 2005-03-13 at 19:26, Jeff Simmons wrote: > Using the native IPSEC code in kernel 2.6, when a tunneled ESP packet is > passed by the INPUT chain and then decoded on a VPN gateway, is it then > processed by any other chain? yes. either INPUT or FORWARD depending on the destination of the decrypted packet. with 2.6 IPsec, all packets pass twice: once as ESP, once in decrypted form. the accepted way to identify decrypted IPsec packets with the native 2.6 stack is to MARK the ESP packets and match the decrypted packets base on that mark. -j -- "Let us all bask in television's warm glowing warming glow." --The Simpsons
