Re: unclear documentation with ipsec policy matcher

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
the documentation I refer to is effectively ipset but it has a module about ipsec and this module is the one I need informations about.
You may not be the person who maintain this particular module but you may know who can answer this question and forward this mail to him.
I double-checked the link http://ipset.netfilter.org/iptables-extensions.man.html#lbBS 

policy
This modules matches the policy used by IPsec for handling a packet.

--dir {in|out}
    Used to select whether to match the policy used for decapsulation or the policy that will be used for encapsulation. in is valid in the PREROUTING, INPUT and FORWARD chains, out is valid in the POSTROUTING, OUTPUT and FORWARD chains. 
--pol {none|ipsec}
    Matches if the packet is subject to IPsec processing. --pol none cannot be combined with --strict. 


the bahaviour is also counter intuituitive

as an exemple
If I receive an Ipsec encapsulated Gre packet, then rule with --dir in --pol none will match ESP packet. 

and rule with --dir in --pol ipsec will match Gre packet.

By the way, what is the meaning of direction in/out in the forward context ?

A little documentation and explanations about why things are named the way
they are would be a great enhancement.

Best regards,

Pierre.


On 27/02/2019 19:18, Jozsef Kadlecsik wrote:

On Wed, 27 Feb 2019, Pierre Colombier wrote:


Hi I feel the documentation quite unclear with this matcher.

http://ipset.netfilter.org/iptables-extensions.man.html#lbBS

the bahaviour is also counter intuituitive

as an exemple

If I receive an Ipsec encapsulated Gre packet, then rule with --dir in --pol
none will match ESP packet.

and rule with --dir in --pol ipsec will match Gre packet.

By the way, what is the meaning of in/out in the forward context ?

A little documentation and explanations about why things are named the way
they are would be a great enhancement.

The documentation you are referring to is about ipset and not ipsec.

Best regards,
Jozsef
-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
           H-1525 Budapest 114, POB. 49, Hungary
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux