Jan Engelhardt wrote:
The situation is deliberate, yes. IPsec is done in what you could
call the xfrm subsystem, not netfilter. To that end, the only
suggestion I could give is that you create a new xfrm policy/state
from esp where esp is split into your encryption and signing
"targets".
Thank you for all answers. The major problem I'm facing is the lacking
of documentation on that subsystem.
For example, how to create a policy. And after that?
My task is a bit easier, because I only need to use AH and not ESP.
Although a flexible solution would be of value :)
The kernel is still a bit unknown to me, so I'm having a bit of trouble
into all the jargon you are using around.
But the few things I understood are being extremely helpful.
It kinda brings me the question why the ipsec transformation is
not done with an xtables target instead; that would also give
handy access to connection tracking if needed.
With that I must agree!
--
------------------------------------------------------------------------------------------
Fábio Souto
LaSIGE , Navigators Group
Departamento de Informática, FC/UL
Block C6, room 6.3.32, Campo Grande
1749-016 Lisboa, Portugal
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
