From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: ipsec patches test: minor compilation and policy match issues Date: Wed, 14 Jul 2004 14:25:57 +0200 Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: <40F52655.8040608@trash.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: Stephen Frost , netfilter-devel@lists.netfilter.org Return-path: To: Henrik Nordstrom In-Reply-To: Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org Henrik Nordstrom wrote: > > This general problem of conntrack when applying policies on packets > flows.. Spoofed packets arriving from an untrusted source will disrupt > conntrack states unless filtering is applied before conntrack. > > In normal traffic this can be solved by using the raw table to enforce the > anti-spoof policy by dropping illegal traffic flows before seen by > conntrack. I suppose something similar could be done with ipsec traffic? Yes. > It would obviously be very nice for conntrack if the ipsec policy checks > could be applied in prerouting before conntrack, but I am not sure how > feasible this is.. It is not exacly a natural point for ipsec to apply > policy checks in prerouting.. It can be done easily, when the packets hit netfilter decapsulation is already done, we just need to add a call to xfrm4_policy_check(). The drawback is that policy checks would be performed twice on valid packets. Regards Patrick