status of netfilter+ipsec patches

status of netfilter+ipsec patches

[Rolf Offermanns]

Hi!
I read in the archives of this ml that the netfilter+ipsec patches were 
supposed to be submitted after 2.6.10 release.

Are there any open issues? What keeps them from going into the main kernel?

-Rolf
-- 
Rolf Offermanns <roffermanns@sysgo.com>
SYSGO AG     Tel.: +49-6136-9948-0
Am Pfaffenstein 14   Fax: +49-6136-9948-10
55270 Klein-Winternheim  http://www.sysgo.com

Re: status of netfilter+ipsec patches

[Tom Eastep]

Rolf Offermanns wrote:
> Hi!
> I read in the archives of this ml that the netfilter+ipsec patches were
> supposed to be submitted after 2.6.10 release.
> 
> Are there any open issues? What keeps them from going into the main kernel?
> 

I second this question -- I'm giving a presentation about Shorewall and
IPSEC next month at Linuxfest Northwest and I'd like to be able to give
the audience the current status of the patches.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Re: status of netfilter+ipsec patches

[Patrick McHardy]

Tom Eastep wrote:
> I second this question -- I'm giving a presentation about Shorewall and
> IPSEC next month at Linuxfest Northwest and I'd like to be able to give
> the audience the current status of the patches.

Read last weeks netdev archive, turns out the whole idea of skipping
netfilter hooks until all IPsec processing is done was wrong. I don't
know how to solve it yet.

Regards
Patrick

Re: status of netfilter+ipsec patches

[Alexander Samad]

[-- Attachment #1: Type: text/plain, Size: 562 bytes --]

On Mon, Mar 28, 2005 at 09:49:38PM +0200, Patrick McHardy wrote:
> Tom Eastep wrote:
> >I second this question -- I'm giving a presentation about Shorewall and
> >IPSEC next month at Linuxfest Northwest and I'd like to be able to give
> >the audience the current status of the patches.
> 
> Read last weeks netdev archive, turns out the whole idea of skipping
> netfilter hooks until all IPsec processing is done was wrong. I don't
> know how to solve it yet.

So which ipsec patches have to be applied ? to 2.6.11

> 
> Regards
> Patrick
> 
> 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Status of Netfilter IPSEC patches

[Sven Anders]

[-- Attachment #1: Type: text/plain, Size: 1551 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello!

Today I rummaged in the netfilter-devel mailing-list archive.
I found the following statement about the NETFILTER/IPSEC patches:

| Patrick McHardy wrote:
|
| Read last weeks netdev archive, turns out the whole idea of skipping
| netfilter hooks until all IPsec processing is done was wrong. I don't
| know how to solve it yet.

Any details about this?
What problems can arise?

I downloaded the latest patch-o-matic and looked at the state of the patches,
but these are out-of-date. Are these patches unmaintained due to the statement
above?
There are newer ones under:
~  http://www.saout.de/misc/linux-2.6.12-ipsec-nat/
Please update the patches in the patch-o-matic!

Regards
~ Sven

PS: please answer me directly, too. Thanks!
- --
~ Sven Anders <anders@anduras.de>                 () Ascii Ribbon Campaign
~                                                 /\ Support plain text e-mail
~ ANDURAS service solutions AG
~ Innstraße 71 - 94036 Passau - Germany
~ Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55

Rechtsform: Aktiengesellschaft - Sitz: Passau - Amtsgericht Passau HRB 6032
Mitglieder des Vorstands: Sven Anders, Marcus Junker, Michael Schön
Vorsitzender des Aufsichtsrats: Dipl. Kfm. Thomas Träger
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFCuszR5lKZ7Feg4EcRAicdAJ0WpaIixj01UU55UjEWWjKFt/2SPwCZAS1v
oJK3R+rf3eb9wlFacM8zyt4=
=aIcB
-----END PGP SIGNATURE-----

Re: Status of Netfilter IPSEC patches

[Patrick McHardy]

Sven Anders wrote:
> | Patrick McHardy wrote:
> |
> | Read last weeks netdev archive, turns out the whole idea of skipping
> | netfilter hooks until all IPsec processing is done was wrong. I don't
> | know how to solve it yet.
> 
> Any details about this?
> What problems can arise?

Raw sockets can have policies that allow them to receive packets
in intermediate states. Skipping the hooks on input until the
packet are entirely decrypted makes filtering before these sockets
impossible and is inconsistent with the way filtering can usually
be done.

It seems the only thing that would work is taking the opposite approach,
pass the packets through LOCAL_OUT/POST_ROUTING for each transform on
output and don't skip on input. For filtering in transport mode this
means we need to pass a packet through the stack for each transform on
input, not just for tunnel mode.

> I downloaded the latest patch-o-matic and looked at the state of the
> patches,
> but these are out-of-date. Are these patches unmaintained due to the
> statement
> above?

Yes.

> There are newer ones under:
> ~  http://www.saout.de/misc/linux-2.6.12-ipsec-nat/
> Please update the patches in the patch-o-matic!

If someone sends me a patch for svn I'll apply it.

Regards
Patrick

Re: Status of Netfilter IPSEC patches

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 940 bytes --]

On Thu, Jun 23, 2005 at 05:06:22PM +0200, Patrick McHardy wrote:

> > There are newer ones under:
> > ~  http://www.saout.de/misc/linux-2.6.12-ipsec-nat/
> > Please update the patches in the patch-o-matic!
> 
> If someone sends me a patch for svn I'll apply it.

I took the liberty of downloading the patches from Christophe Saout's
website and commit them to svn as 'linux-2.6.12.patch', this way it
works for new and old kernels.  

If someone (Christophe?) has patches for 2.6.10/.11, feel free to submit
them so we can include them, too.

Thanks!

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]