From: Tom Eastep <teastep@shorewall.net>
To: Harald Welte <laforge@netfilter.org>
Cc: Willy Tarreau <willy@w.ods.org>,
Henrik Nordstrom <hno@marasystems.com>,
Michal Ludvig <mludvig@suse.cz>,
netfilter-devel@lists.netfilter.org
Subject: Re: NAT before IPsec with 2.6
Date: Wed, 28 Jan 2004 07:36:29 -0800 [thread overview]
Message-ID: <200401280736.29799.teastep@shorewall.net> (raw)
In-Reply-To: <20040127204546.GZ11761@sunbeam.de.gnumonks.org>
On Tuesday 27 January 2004 12:45 pm, Harald Welte wrote:
> > > To do this, somewhen between esp_output() is called and the beginning
> > > of the modification of the packet payload, we need to call
> > > nf_hook(POST_ROUTING). This way, conntrack would be able to put the
> > > connection in the hash, and people can do SNAT-like operations in
> > > nat->POSTROUTING. We could even pass a dummy output device structure
> > > with an interface name "esp" so people can SNAT everything heading for
> > > esp encapsulation.
> >
> > I like this proposal.
>
> Great :)
>
> > I assume that on input, payload packets would also have this dummy
> > device as their input device?
>
> sure, makes sense.
>
> > And on output that payload packets would have "esp" as their output
> > device in the FORWARD and OUTPUT hooks as well?
>
> no, that's way more difficult. I'm not sure whether it can be done at
> all (without adding rediculous kludges to the code).
Bummer -- I'm trying to avoid equally ridiculous kludges in my own code :-)
>
> > I would also like to register my vote for having the AH/ESP packets go
> > through INPUT and OUTPUT. This would allow Shorewall to treat IPSEC in
> > the same way as it does all other tunnel types:
>
> Mh. Let's say we stick with the INPUT/OUTPUT chains for now.
>
> However, I would like to introduce new netfilter hooks. At least for
> the beginning (due to lack of better ideas), I'm going to register the
> INPUT/OUTPUT chains with those new hooks.
>
> the idea of the new hooks is, that in reality they are at different
> locations in the stack. And at some point we might have some module
> that is only interested in xfrm'ed packets.
>
I understand.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
next prev parent reply other threads:[~2004-01-28 15:36 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-01-21 12:29 NAT before IPsec with 2.6 Michal Ludvig
2004-01-23 6:57 ` Willy Tarreau
2004-01-23 12:31 ` Henrik Nordstrom
2004-01-23 13:31 ` Michal Ludvig
2004-01-23 14:24 ` Henrik Nordstrom
2004-01-23 14:40 ` Michal Ludvig
2004-01-23 15:56 ` Henrik Nordstrom
2004-01-23 15:51 ` Tom Eastep
2004-01-24 8:22 ` Willy Tarreau
2004-01-24 9:21 ` Henrik Nordstrom
2004-01-24 9:27 ` Willy Tarreau
2004-01-27 10:39 ` Harald Welte
2004-01-27 11:57 ` Henrik Nordstrom
2004-01-27 13:07 ` Harald Welte
2004-01-27 13:22 ` Henrik Nordstrom
2004-01-27 14:12 ` Henrik Nordstrom
2004-01-27 20:51 ` Harald Welte
2004-01-27 22:35 ` Henrik Nordstrom
2004-01-28 13:48 ` Harald Welte
2004-01-27 22:41 ` Willy Tarreau
2004-01-27 23:55 ` Harald Welte
2004-01-28 0:14 ` Willy Tarreau
2004-01-28 0:09 ` [PATCH]Re: " Harald Welte
2004-01-28 8:49 ` Patrick McHardy
2004-01-28 9:37 ` Patrick McHardy
2004-01-28 10:30 ` Harald Welte
2004-01-28 11:24 ` Willy Tarreau
2004-01-28 13:39 ` Harald Welte
2004-01-28 15:58 ` Tom Eastep
2004-01-28 13:22 ` Patrick McHardy
2004-01-28 14:23 ` Henrik Nordstrom
2004-02-01 14:52 ` Patrick McHardy
2004-02-16 1:19 ` Patrick McHardy
2004-02-18 14:57 ` Patrick McHardy
[not found] ` <20040218220337.GA3193@alpha.home.local>
2004-02-20 1:43 ` Patrick McHardy
2004-03-04 22:30 ` [PATCH]: latest netfilter+ipsec patches Patrick McHardy
2004-03-04 23:11 ` Willy Tarreau
2004-03-04 23:42 ` Alexander Samad
2004-03-05 2:00 ` Patrick McHardy
2004-03-05 2:13 ` Alexander Samad
2004-03-10 2:45 ` Alexander Samad
2004-03-11 22:10 ` Patrick McHardy
2004-03-12 0:15 ` Alexander Samad
2004-03-05 1:47 ` Patrick McHardy
2004-03-05 11:10 ` Willy Tarreau
2004-03-04 23:44 ` Patrick McHardy
2004-03-05 11:39 ` Harald Welte
2004-01-28 10:30 ` [PATCH]Re: NAT before IPsec with 2.6 Andreas Jellinghaus
2004-01-29 19:05 ` Harald Welte
2004-01-27 19:54 ` Michael Richardson
2004-01-27 13:27 ` Valentijn Sessink
2004-01-27 13:57 ` Henrik Nordstrom
2004-01-27 21:13 ` Andreas Jellinghaus
2004-01-28 8:58 ` Harald Welte
2004-01-28 10:21 ` Andreas Jellinghaus
2004-01-28 13:00 ` Harald Welte
2004-01-28 13:43 ` Andreas Jellinghaus
2004-01-28 14:24 ` 2.6.2-rc2 and nf-log Wojciech 'Sas' Cieciwa
2004-01-28 19:38 ` NAT before IPsec with 2.6 David S. Miller
2004-01-27 16:11 ` Tom Eastep
2004-01-27 20:45 ` Harald Welte
2004-01-28 15:36 ` Tom Eastep [this message]
2004-01-27 19:51 ` Michael Richardson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200401280736.29799.teastep@shorewall.net \
--to=teastep@shorewall.net \
--cc=hno@marasystems.com \
--cc=laforge@netfilter.org \
--cc=mludvig@suse.cz \
--cc=netfilter-devel@lists.netfilter.org \
--cc=willy@w.ods.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.