Netfilter+IPsec patches in pom-ng now

Netfilter+IPsec patches in pom-ng now

[Patrick McHardy]

I've just commited the netfilter+ipsec patches to pom-ng.

The input patch is replaced with a new version which just
posts packets which are done with ipsec into the stack again
and lets them traverse the hooks at the usual places. The
advantage is the simplicity and transparency for netfilter,
the disadvantage is an extra pass through the stack.

Some bugs have been fixed since the last set of patches:

- IPIP packets decapsulated from IPsec missed the input hooks
- multiple other problems related to the old input patch
- compiles without CONFIG_NETFILTER
- icmp/igmp didn't traverse POST_ROUTING before encapsulation
- possible NULL-ptr dereference fixed

They still need some work but mostly cleanup, nothing critical.

The patches are split into four parts, but pom-ng does not handle
recursive dependencies when dependant patches change the same
piece of code and --dry-run fails, so the patches need to be
applied manually in the right order. The patches are named in
a way that they will appear in the correct order during "runme".

Regards
Patrick

PS: I've CCed some people who showed interest, but who I think
are not subscribed to the list. Please tell me in private if
you want don't want these mails.

Re: Netfilter+IPsec patches in pom-ng now

[Alexander Samad]

[-- Attachment #1: Type: text/plain, Size: 1447 bytes --]

On Wed, Apr 14, 2004 at 04:30:32AM +0200, Patrick McHardy wrote:
> I've just commited the netfilter+ipsec patches to pom-ng.
> 
> The input patch is replaced with a new version which just
> posts packets which are done with ipsec into the stack again
> and lets them traverse the hooks at the usual places. The
> advantage is the simplicity and transparency for netfilter,
> the disadvantage is an extra pass through the stack.
> 
> Some bugs have been fixed since the last set of patches:
> 
> - IPIP packets decapsulated from IPsec missed the input hooks
> - multiple other problems related to the old input patch
> - compiles without CONFIG_NETFILTER
> - icmp/igmp didn't traverse POST_ROUTING before encapsulation
> - possible NULL-ptr dereference fixed
> 
> They still need some work but mostly cleanup, nothing critical.
> 
> The patches are split into four parts, but pom-ng does not handle
> recursive dependencies when dependant patches change the same
> piece of code and --dry-run fails, so the patches need to be
> applied manually in the right order. The patches are named in
> a way that they will appear in the correct order during "runme".
> 
> Regards
> Patrick
> 
> PS: I've CCed some people who showed interest, but who I think
> are not subscribed to the list. Please tell me in private if
> you want don't want these mails.
> 

Patrick I have noted that 04 doesn't apply cleanly to 2.6.5



[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Netfilter+IPsec patches in pom-ng now

[Ivan Mitev]

> Patrick I have noted that 04 doesn't apply cleanly to 2.6.5

the only problem i noticed when patching kernel 2.6.5 was with patch 02 (i use
the cvs versions of pom-ng and iptables of april 14). i'll try to check again.

btw i'm experimenting with them for a few days now, and i didn't encounter any 
problem. everything's fine!

ivan

Re: Netfilter+IPsec patches in pom-ng now

[Alexander Samad]

[-- Attachment #1: Type: text/plain, Size: 490 bytes --]

On Tue, Apr 20, 2004 at 04:20:47PM +0300, Ivan Mitev wrote:
> > Patrick I have noted that 04 doesn't apply cleanly to 2.6.5
Have to admit I used a debian 2.6.5, will check it out

> 
> the only problem i noticed when patching kernel 2.6.5 was with patch 02 (i use
> the cvs versions of pom-ng and iptables of april 14). i'll try to check again.
> 
> btw i'm experimenting with them for a few days now, and i didn't encounter any 
> problem. everything's fine!
> 
> ivan
> 
> 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Netfilter+IPsec patches in pom-ng now

[Alexander Samad]

[-- Attachment #1: Type: text/plain, Size: 1457 bytes --]

On Wed, Apr 14, 2004 at 04:30:32AM +0200, Patrick McHardy wrote:
> I've just commited the netfilter+ipsec patches to pom-ng.
> 
> The input patch is replaced with a new version which just
> posts packets which are done with ipsec into the stack again
> and lets them traverse the hooks at the usual places. The
> advantage is the simplicity and transparency for netfilter,
> the disadvantage is an extra pass through the stack.
> 
> Some bugs have been fixed since the last set of patches:
> 
> - IPIP packets decapsulated from IPsec missed the input hooks
> - multiple other problems related to the old input patch
> - compiles without CONFIG_NETFILTER
> - icmp/igmp didn't traverse POST_ROUTING before encapsulation
> - possible NULL-ptr dereference fixed
> 
> They still need some work but mostly cleanup, nothing critical.
> 
> The patches are split into four parts, but pom-ng does not handle
> recursive dependencies when dependant patches change the same
> piece of code and --dry-run fails, so the patches need to be
> applied manually in the right order. The patches are named in
> a way that they will appear in the correct order during "runme".

Work out my problem with 2.6.5, need to apply nf_reset patch first.



> 
> Regards
> Patrick
> 
> PS: I've CCed some people who showed interest, but who I think
> are not subscribed to the list. Please tell me in private if
> you want don't want these mails.
> 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]