Re: question about esp and policy matching rule

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Monday 2010-07-19 05:29, Richard Knight wrote:
>rule ends up below the policy matching rule, will the ESP rule ever be
>checked?

Yes; -m policy applies to the in-tunnel packets only.

># allow all ipsec traffic into and out
>$IP6_TABLES -I INPUT  1 -i $EXIF -p esp -j ACCEPT
>$IP6_TABLES -I OUTPUT 1 -o $EXIF -p esp -j ACCEPT
>$IP6_TABLES -I INPUT  1 -i $EXIF -m policy --dir in  --pol ipsec  -j ACCEPT
>$IP6_TABLES -I OUTPUT 1 -o $EXIF -m policy --dir out --pol ipsec  -j ACCEPT
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux