Re: question about esp and policy matching rule

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jul 19, 2010 at 4:44 PM, Sergei Zhirikov <sfzhi@xxxxxxxxx> wrote:
> On 2010-07-19 05:29, Richard Knight wrote:
>>
>> Hello,
>>
>>  I don't fully understand the two rules below.
>>
>> Since each of the rules are get inserted at position 1 in the table the
>> ESP
>> rule ends up below the policy matching rule, will the ESP rule ever be
>> checked?
>>
>> # allow all ipsec traffic into and out
>> $IP6_TABLES -I INPUT  1 -i $EXIF -p esp -j ACCEPT
>> $IP6_TABLES -I OUTPUT 1 -o $EXIF -p esp -j ACCEPT
>> $IP6_TABLES -I INPUT  1 -i $EXIF -m policy --dir in  --pol ipsec  -j
>> ACCEPT
>> $IP6_TABLES -I OUTPUT 1 -o $EXIF -m policy --dir out --pol ipsec  -j
>> ACCEPT
>>
>> I have an application which does not seem to operate through my ipsec
>> tunnel without both rules in place, I'm having trouble figuring out why.
>>
>
> The order of those rules does not matter. They have different purpose and
> match different packets.
>
> With IPSec involved packets pass netfilter twice. For example, if you have
> an incoming ESP packet
> that contains an UDP packet as payload the following happens.
>
> 1. The ESP packet passes netfilter and matches the line with "-I INPUT -p
> esp"
> 2. The packet is decrypted and its payload (the UDP packet in this example)
> is processed further
> 3. The UDP packet passes netfilter and matches the line with "-I INPUT -m
> policy ...".
>
> In other words, "-m policy" applies to packets after IPSec decapsulation (or
> before encapsulation, for outgoing packets).
>
> --
> Sergei.
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

After decapsulation , will the ip packet will traverse prerouting chain again ?

-Ratheesh
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux