On Sat, Oct 8, 2011 at 3:09 PM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: > On Saturday 2011-10-08 08:50, Prashant Batra wrote: > >>Hello, >> >>I am thinking to implement user-space IPSec using NETLINK_FIREWALL >>protocol. This is how, I am thinking to proceed- >> >>-Get the plain packet sent out using OUTPUT rule with QUEUE target in >>the user space. Encapsulate the packet and send out ESP packet. >>-Similarly get the ESP packet sent from the peer gateway, get it into >>user space with INPUT ESP based rule, decrypt the packet >>and send it to the application using raw sockets. >> >>But I have some doubts whether this will work just fine or not. > > _Outputting_ data to a raw socket fd is not going to make it appear in > the _input path_. > The packets sent by the raw socket, has be be captured by with OUTPUT rule. I think this will happen, but I am sure that some things will not work. > Don't make it more complicated than it needs to be. > > The kernel ESP encoder/decoder works just fine. > Actually, I have to do it, just because SCTP over IPv6 is not processed by the IPSec in the kernel. Have tried to put some patches, but the kernel is not very stable after that. I am using 2.6.38 kernel. If you have some info about a stable patch, please help me. Regards, Prashant -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
