Hi Marco Thanks for your reply. You wrote: > You aren't seeing the clear text packet > because because you should log also the > FORWARD chain: 'iptables -I FORWARD -j LOG' > > > This has been observed in e.g. this thread: > > http://marc.theaimsgroup.com/?l=netfilter-devel&m=114010374229806&w=2 > > > > However, I don't see any solution. What is your approach to filter > > cleartext packets? > > You must filter packets in the FORWARD > chain, nor INPUT nor OUTPUT The packets do not traverse the FORWARD chain. I just added log rule, i.e. 'iptables -I FORWARD -j LOG'. Even after issueing 'iptables -I FORWARD -j DROP', the ipsec connection works perfectly (assuming that I accept PROTO=4 packets). BTW, I used 2.6.16 this time since I currently cannot restart the system. In fact, I would be surprised to see either the ESP or the cleartext packet in FORWARD since both are destined to the local host. > > Is the issue considered a bug? > > Yes, the issue in the above thread is a > know bug to the netfilter team. Hm, ok. I wonder how the current state of this issue is and how hard it is to fix this bug. Best regards, Thomas
