Re: iptables, ipsec, and host2host

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 28 Jan 2009, Joe Pruett wrote:

i have been scouring the net and i can't find any clues to whether i can do filtering after ipsec has decrypted a packet on a host2host connection. net2net goes through the filters a second time, but host2host doesn't seem to do that. is there some other method i can use to filter the traffic after being decrypted?

ok, i'm following up to myself. i dug into the kernel source (for redhat/centos 5) and have found that there don't appear to be any hooks in the ah4.c or esp4.c code to pass packets back through netfilter after decapsution/decryption. from what i can tell tunnel mode (net2net) gets the double pass through netfilter only because of the use of the ip-ip protocol and ipip.c does a netif_rx call after decapsulation.

so maybe i should go dig into the current (from linus) kernel sources to see if there have been any changes. but i'm hoping that someone here might know if there is a reason that ah/esp packets aren't passed through netfilter again after being decapsulated/decrypted? or should i go find the ipsec mailing list?

my underlying goal is for a monitoring system that i want to be able to see into customer sites via ipsec, but i don't want them to be able to come back over the ipsec connection to my system. i could setup tunnels to each site, but host2host is really more what i want.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux