On 18.10.2016 22:11, Brian O'Connor wrote: > > So, for forwarded traffic (as distinct from locally source packets), I > understand the packet to > flow through the mangle and nat postrouting chains twice, and the other > iptables > output chains for raw, mangle, nat and filter tables only once after > encryption.
That depends on where the packet originally came from. If it comes in an ESP/NAT-T packet, it circulates through the INPUT PATH two times (Once as ESP/NAT-T packet and once as unprotected packet). If it is an unprotected packet, it only goes through INPUT path once (as unproteced packet). > On the first pass through the mangle and nat postrouting chains, iptables > rules would > operate on the unencrypted payload packet and on the second pass on the IP > headers of > the encrypted IPsec packet. If the packet matches an IPsec policy with OUTPUT flag set, then yes. We need to strongly differentiate in this discussion where the packet actually comes from and where it goes to (If it was/is in an ESP/NAT-T/AH packet, if there is a matching INPUT policy for it in the SAD and SPD and analog if it's a packet that is going to protected with IPsec (that is, if there's a matching policy in the SPD for it with the correct mode and if it's a policy that has the correct mode). A packet that goes through netfilter *4* times would be a packet that is received as an ESP/NAT-T/AH packet, has a matching SA and SP, is allowed by your netfilter rules, is locally decapsulated, routed, encapsulated and allowed again and then sent to another host again. -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Description: OpenPGP digital signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users