Re: ipsec patches test: minor compilation and policy match issues

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Ivan Mitev <imitev@obs.bg>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: ipsec patches test: minor compilation and policy match issues
Date: Fri, 16 Apr 2004 16:11:41 +0200	[thread overview]
Message-ID: <407FE99D.6010100@trash.net> (raw)
In-Reply-To: <20040415212034.GE7611@obs.bg>

Ivan Mitev wrote:

 > [...]
> 
> anwyway, with the comment/uncomment of the 2 includes, plus with some manual
> tweaks for the policy patch, i got everything running.

I'm going to look into these problems, thanks.

> now, the real testing, so here is the setup (very basic for now): 
> 
> all nets are 172.16.x.x/24
> 
>                --------                           --------
>  .1.0 --- 1.10 | rtr1 | 2.10 --- "inet" ---- 3.10 | rtr2 | 4.10 --- .4.0
>           eth0 -------- eth1                 eth1 -------- eth0
> 
> 
> rtr1 is the 2.6 ipsec gw where i test the new ipsec patches
> 
> "inet" is in fact another router where i can tcpdump to
> check that i only have ESP and/or AH packets between 2.10 and 3.10
> 
> i only have a tunnel for .1.0 <-> .4.0 networks, and no transport mode.
> 
> after a bit of tests, i saw that the ipsec match doesn't work when i specify 
> --tunnet-dst/src; otherwise it works very well, at least for this basic setup.
> 
> so, for example that rule works:
> 
> iptables -A FORWARD -i eth0 -o eth1 -m policy --dir out --pol ipsec --strict --proto esp --mode tunnel -j ACCEPT
> 
> while these don't:
> 
> iptables -A FORWARD -i eth0 -o eth1 -m policy --dir out --pol ipsec --strict --proto esp --mode tunnel --tunnel-dst 172.16.4.0/24 -j ACCEPT
> 
> or
> 
> iptables -A FORWARD -i eth0 -o eth1 -m policy --dir out --pol ipsec --strict --proto esp --mode tunnel --tunnel-src 172.16.1.0/24 -j ACCEPT
> 
> or 
> 
> iptables -A FORWARD -i eth0 -o eth1 -m policy --dir out --pol ipsec --strict --proto esp --mode tunnel --tunnel-src 172.16.1.0/24 --tunnel-dst 172.16.4.0/24 -j ACCEPT

 From your diagram above I'd say that you need
--tunnel-src x.y.2.10 --tunnel-dst x.y.3.10. tunnel-src
and tunnel-dst match the ipsec-tunnel peers, not the
addresses of the encapsulated packets.

> that's it for now; later i'll try to migrate/test a part of a (really) 
> more complex setup, with lots of iptables and tc rules (so i expect some 
> problems where the packets are seen twice, in their encrypted/de-encrypted 
> form). i also have some user-space apps that use ip_queue, so i'll see 
> if they'll be broken.

I'm looking forward to your tests.

> if some of you are interested in more tests for the transport mode, i can
> investigate that too...

Sure, anything helps. Thanks for your help ;)

Regards,
Patrick

> 
> regards,
> ivan
>

next prev parent reply	other threads:[~2004-04-16 14:11 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-04-15 21:20 ipsec patches test: minor compilation and policy match issues Ivan Mitev
2004-04-16 14:11 ` Patrick McHardy [this message]
2004-04-24 10:17   ` Ivan Mitev
2004-04-24 11:14     ` Patrick McHardy
2004-04-24 11:51       ` Patrick McHardy
2004-04-24 13:07         ` Ivan Mitev
2004-04-27 18:58     ` Michael Richardson
2004-04-28  0:30       ` Patrick McHardy
2004-04-16 15:21 ` Where is DROP target implemented {Virus Scanned} Qiang
2004-04-16 16:39   ` Patrick McHardy
2004-07-13  2:37 ` ipsec patches test: minor compilation and policy match issues Stephen Frost
2004-07-13  2:54   ` Patrick McHardy
2004-07-13 11:53     ` Stephen Frost
2004-07-13 15:56       ` Patrick McHardy
2004-07-13 16:10         ` Stephen Frost
2004-07-14  1:22           ` Patrick McHardy
2004-07-14  3:00             ` Stephen Frost
2004-07-14 12:11               ` Patrick McHardy
2004-07-14  3:37             ` Henrik Nordstrom
2004-07-14 12:25               ` Patrick McHardy
2004-07-14 15:05                 ` Henrik Nordstrom
2004-07-23  0:06                   ` Patrick McHardy
2004-07-25  9:40                     ` Henrik Nordstrom

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=407FE99D.6010100@trash.net \
    --to=kaber@trash.net \
    --cc=imitev@obs.bg \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.