From: Patrick McHardy <kaber@trash.net>
To: Willy Tarreau <willy@w.ods.org>
Cc: Harald Welte <laforge@netfilter.org>,
Henrik Nordstrom <hno@marasystems.com>,
Tom Eastep <teastep@shorewall.net>,
Michal Ludvig <mludvig@suse.cz>,
Netfilter Development Mailinglist
<netfilter-devel@lists.netfilter.org>
Subject: Re: [PATCH]Re: NAT before IPsec with 2.6
Date: Fri, 20 Feb 2004 02:43:00 +0100 [thread overview]
Message-ID: <40356624.6050209@trash.net> (raw)
In-Reply-To: <20040218220337.GA3193@alpha.home.local>
Hi Willy,
Willy Tarreau wrote:
>
> Judging by the fact that I saw no reply to your previous mail,
> I suspect that we all are a bit busy. Regarding your previous
> question about a possible asymetry, I was starting to draw a
> flow diagram to check what I understood correctly and that
> we could use as a base to comment on, but I finally didn't have
> time to work on it anymore. In fact, I see how a packet passes
> through the tables and chains without ipsec, I have a few doubts
> about what changes with ipsec and your patches (eg: I don't
> remember if the decapsulated packet goes through mgl:PRE or not),
> and I'm yet less certain about what is known about the sessions
> at different stages. If I find time to come up with a diagram
> (even if it's plain wrong), I'll post it here.
Thanks a lot! Decapsulated packets go the usual way, in fact the
patch doesn't change anything for tunnel mode except that
it drops the conntrack reference before packets are posted into
the stack again. For transport mode packets it's a bit different,
and I too am not entirely sure if the packet is always in valid
state with the emulate_nf_hooks stuff, especially when
NAT-Traversal is used. I'm investigating this after I fix a
bug Michal and a second tester reported. Regarding hooks passed,
packets SNATed in POST_ROUTING which have a matching policy
afterwards won't pass the SELINUX and CONNTRACK hooks.
The mangle table may also cause problems when something causes
rerouting, I haven't thought about the possible effects yet.
Other than that I can currently not think of more problems ..
Best regards,
Patrick
>
> Cheers,
> Willy
>
next prev parent reply other threads:[~2004-02-20 1:43 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-01-21 12:29 NAT before IPsec with 2.6 Michal Ludvig
2004-01-23 6:57 ` Willy Tarreau
2004-01-23 12:31 ` Henrik Nordstrom
2004-01-23 13:31 ` Michal Ludvig
2004-01-23 14:24 ` Henrik Nordstrom
2004-01-23 14:40 ` Michal Ludvig
2004-01-23 15:56 ` Henrik Nordstrom
2004-01-23 15:51 ` Tom Eastep
2004-01-24 8:22 ` Willy Tarreau
2004-01-24 9:21 ` Henrik Nordstrom
2004-01-24 9:27 ` Willy Tarreau
2004-01-27 10:39 ` Harald Welte
2004-01-27 11:57 ` Henrik Nordstrom
2004-01-27 13:07 ` Harald Welte
2004-01-27 13:22 ` Henrik Nordstrom
2004-01-27 14:12 ` Henrik Nordstrom
2004-01-27 20:51 ` Harald Welte
2004-01-27 22:35 ` Henrik Nordstrom
2004-01-28 13:48 ` Harald Welte
2004-01-27 22:41 ` Willy Tarreau
2004-01-27 23:55 ` Harald Welte
2004-01-28 0:14 ` Willy Tarreau
2004-01-28 0:09 ` [PATCH]Re: " Harald Welte
2004-01-28 8:49 ` Patrick McHardy
2004-01-28 9:37 ` Patrick McHardy
2004-01-28 10:30 ` Harald Welte
2004-01-28 11:24 ` Willy Tarreau
2004-01-28 13:39 ` Harald Welte
2004-01-28 15:58 ` Tom Eastep
2004-01-28 13:22 ` Patrick McHardy
2004-01-28 14:23 ` Henrik Nordstrom
2004-02-01 14:52 ` Patrick McHardy
2004-02-16 1:19 ` Patrick McHardy
2004-02-18 14:57 ` Patrick McHardy
[not found] ` <20040218220337.GA3193@alpha.home.local>
2004-02-20 1:43 ` Patrick McHardy [this message]
2004-03-04 22:30 ` [PATCH]: latest netfilter+ipsec patches Patrick McHardy
2004-03-04 23:11 ` Willy Tarreau
2004-03-04 23:42 ` Alexander Samad
2004-03-05 2:00 ` Patrick McHardy
2004-03-05 2:13 ` Alexander Samad
2004-03-10 2:45 ` Alexander Samad
2004-03-11 22:10 ` Patrick McHardy
2004-03-12 0:15 ` Alexander Samad
2004-03-05 1:47 ` Patrick McHardy
2004-03-05 11:10 ` Willy Tarreau
2004-03-04 23:44 ` Patrick McHardy
2004-03-05 11:39 ` Harald Welte
2004-01-28 10:30 ` [PATCH]Re: NAT before IPsec with 2.6 Andreas Jellinghaus
2004-01-29 19:05 ` Harald Welte
2004-01-27 19:54 ` Michael Richardson
2004-01-27 13:27 ` Valentijn Sessink
2004-01-27 13:57 ` Henrik Nordstrom
2004-01-27 21:13 ` Andreas Jellinghaus
2004-01-28 8:58 ` Harald Welte
2004-01-28 10:21 ` Andreas Jellinghaus
2004-01-28 13:00 ` Harald Welte
2004-01-28 13:43 ` Andreas Jellinghaus
2004-01-28 14:24 ` 2.6.2-rc2 and nf-log Wojciech 'Sas' Cieciwa
2004-01-28 19:38 ` NAT before IPsec with 2.6 David S. Miller
2004-01-27 16:11 ` Tom Eastep
2004-01-27 20:45 ` Harald Welte
2004-01-28 15:36 ` Tom Eastep
2004-01-27 19:51 ` Michael Richardson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40356624.6050209@trash.net \
--to=kaber@trash.net \
--cc=hno@marasystems.com \
--cc=laforge@netfilter.org \
--cc=mludvig@suse.cz \
--cc=netfilter-devel@lists.netfilter.org \
--cc=teastep@shorewall.net \
--cc=willy@w.ods.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.