From: Patrick McHardy <kaber@trash.net>
To: Henrik Nordstrom <hno@marasystems.com>
Cc: Stephen Frost <sfrost@snowman.net>, netfilter-devel@lists.netfilter.org
Subject: Re: ipsec patches test: minor compilation and policy match issues
Date: Wed, 14 Jul 2004 14:25:57 +0200 [thread overview]
Message-ID: <40F52655.8040608@trash.net> (raw)
In-Reply-To: <Pine.LNX.4.44.0407140528420.12284-100000@filer.marasystems.com>
Henrik Nordstrom wrote:
>
> This general problem of conntrack when applying policies on packets
> flows.. Spoofed packets arriving from an untrusted source will disrupt
> conntrack states unless filtering is applied before conntrack.
>
> In normal traffic this can be solved by using the raw table to enforce the
> anti-spoof policy by dropping illegal traffic flows before seen by
> conntrack. I suppose something similar could be done with ipsec traffic?
Yes.
> It would obviously be very nice for conntrack if the ipsec policy checks
> could be applied in prerouting before conntrack, but I am not sure how
> feasible this is.. It is not exacly a natural point for ipsec to apply
> policy checks in prerouting..
It can be done easily, when the packets hit netfilter decapsulation is
already done, we just need to add a call to xfrm4_policy_check().
The drawback is that policy checks would be performed twice on valid
packets.
Regards
Patrick
next prev parent reply other threads:[~2004-07-14 12:25 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-15 21:20 ipsec patches test: minor compilation and policy match issues Ivan Mitev
2004-04-16 14:11 ` Patrick McHardy
2004-04-24 10:17 ` Ivan Mitev
2004-04-24 11:14 ` Patrick McHardy
2004-04-24 11:51 ` Patrick McHardy
2004-04-24 13:07 ` Ivan Mitev
2004-04-27 18:58 ` Michael Richardson
2004-04-28 0:30 ` Patrick McHardy
2004-04-16 15:21 ` Where is DROP target implemented {Virus Scanned} Qiang
2004-04-16 16:39 ` Patrick McHardy
2004-07-13 2:37 ` ipsec patches test: minor compilation and policy match issues Stephen Frost
2004-07-13 2:54 ` Patrick McHardy
2004-07-13 11:53 ` Stephen Frost
2004-07-13 15:56 ` Patrick McHardy
2004-07-13 16:10 ` Stephen Frost
2004-07-14 1:22 ` Patrick McHardy
2004-07-14 3:00 ` Stephen Frost
2004-07-14 12:11 ` Patrick McHardy
2004-07-14 3:37 ` Henrik Nordstrom
2004-07-14 12:25 ` Patrick McHardy [this message]
2004-07-14 15:05 ` Henrik Nordstrom
2004-07-23 0:06 ` Patrick McHardy
2004-07-25 9:40 ` Henrik Nordstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40F52655.8040608@trash.net \
--to=kaber@trash.net \
--cc=hno@marasystems.com \
--cc=netfilter-devel@lists.netfilter.org \
--cc=sfrost@snowman.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.