On Fri, 11 Nov 2005, Gerd v. Egidy wrote:
Hi,This is the latest set patches for netfilter IPsec support. The use of netif_rx for the innermost SA if it used transport mode has been replaced by explicit NF_HOOK calls in xfrm{4,6}_input.c.Could you please describe the solution you implemented a bit more? There was just so many back and forth that I'm confused now.
OK, some explanation. In tunnel mode, packets go through the stack again after decapsulation and hit the PRE_ROUTING and LOCAL_IN or FORWARD hook, depending on if it is a local packet or is forwarded. For symetry, there are now some additional hooks on the output path which pass the packet through LOCAL_OUT and POST_ROUTING after tunnel mode transforms. This part behaves just as any other tunnel. Transport mode is special, we usually don't want to see packets before or after transport mode transforms except if it was the plain text packet (the transport mode SA is the innermost SA of the bundle). On the output path this already works because packets always hit netfilter before reaching the transforms, on the input path packets are manually passed through PRE_ROUTING and INPUT in this case. For NAT we do two things: when a packet is NATed after already beeing routed (including the xfrm lookup), it is routed again. If an incoming packet is NATed before the policy check, the policy check reconstructs how the packet looked before NAT.
If I use it with iptables, do the transport mode packets go through INPUT and OUTPUT twice, decrypted and encrypted?
Yes, if the transport mode transform in the innermost transform of the bundle (or the only one).
If I use it with iptables, do the tunnel mode packets go through FORWARD or INPUT and OUTPUT twice, decrypted and encrypted?
Yes.
Can I do NAT in tunnel and transport mode?
Yes, even NATing forwarded packets and protecting them using a transport mode SA works.
what about the policy match patches, why are they only posted "for completeness" and as 11/12 of 10? Aren't they ready yet?
They should be fine. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
