On Mon, Jul 19, 2010 at 4:44 PM, Sergei Zhirikov <sfzhi@xxxxxxxxx> wrote: > On 2010-07-19 05:29, Richard Knight wrote: >> >> Hello, >> >> I don't fully understand the two rules below. >> >> Since each of the rules are get inserted at position 1 in the table the >> ESP >> rule ends up below the policy matching rule, will the ESP rule ever be >> checked? >> >> # allow all ipsec traffic into and out >> $IP6_TABLES -I INPUT 1 -i $EXIF -p esp -j ACCEPT >> $IP6_TABLES -I OUTPUT 1 -o $EXIF -p esp -j ACCEPT >> $IP6_TABLES -I INPUT 1 -i $EXIF -m policy --dir in --pol ipsec -j >> ACCEPT >> $IP6_TABLES -I OUTPUT 1 -o $EXIF -m policy --dir out --pol ipsec -j >> ACCEPT >> >> I have an application which does not seem to operate through my ipsec >> tunnel without both rules in place, I'm having trouble figuring out why. >> > > The order of those rules does not matter. They have different purpose and > match different packets. > > With IPSec involved packets pass netfilter twice. For example, if you have > an incoming ESP packet > that contains an UDP packet as payload the following happens. > > 1. The ESP packet passes netfilter and matches the line with "-I INPUT -p > esp" > 2. The packet is decrypted and its payload (the UDP packet in this example) > is processed further > 3. The UDP packet passes netfilter and matches the line with "-I INPUT -m > policy ...". > > In other words, "-m policy" applies to packets after IPSec decapsulation (or > before encapsulation, for outgoing packets). > > -- > Sergei. > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > After decapsulation , will the ip packet will traverse prerouting chain again ? -Ratheesh -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html