Aleksandar Milivojevic wrote:
I'm writing set of firewall rules for IPSec based VPN, and have couple of questions. I know that packets are supposed to go through Netfilter tables twice (as received from the wire, and than as outputed by IPSec module). However, what I noticed is that this seems to be true only for incomming packets. The outgoing packets seems to go through Netfilter tables only once.
Thanks to everybody who replied on the list and off-list. I'll just write a short summary.
Apperently, this is a known problem and it has been discussed on Netfilter's development lists. There are some patches that solve it, but they are not going to get into mainstream kernel since approach taken in them is problematic (and according to some sources, those patches are abandoned and not maintained anymore). I wasn't able to find why the approach is problematic, but apperently answer to that question is burried somewhere in archives of Netfilter's development list. Seems that correct approach to solve the problem still needs to be found (and once found and implemented will become part of mainstream kernel).