On 2010-07-19 05:29, Richard Knight wrote:
Hello, I don't fully understand the two rules below. Since each of the rules are get inserted at position 1 in the table the ESP rule ends up below the policy matching rule, will the ESP rule ever be checked? # allow all ipsec traffic into and out $IP6_TABLES -I INPUT 1 -i $EXIF -p esp -j ACCEPT $IP6_TABLES -I OUTPUT 1 -o $EXIF -p esp -j ACCEPT $IP6_TABLES -I INPUT 1 -i $EXIF -m policy --dir in --pol ipsec -j ACCEPT $IP6_TABLES -I OUTPUT 1 -o $EXIF -m policy --dir out --pol ipsec -j ACCEPT I have an application which does not seem to operate through my ipsec tunnel without both rules in place, I'm having trouble figuring out why.
The order of those rules does not matter. They have different purpose and match different packets. With IPSec involved packets pass netfilter twice. For example, if you have an incoming ESP packet that contains an UDP packet as payload the following happens. 1. The ESP packet passes netfilter and matches the line with "-I INPUT -p esp" 2. The packet is decrypted and its payload (the UDP packet in this example) is processed further 3. The UDP packet passes netfilter and matches the line with "-I INPUT -m policy ...". In other words, "-m policy" applies to packets after IPSec decapsulation (or before encapsulation, for outgoing packets). -- Sergei. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
