IPSec and Netfilter

IPSec and Netfilter

[Jerry Alexander]

Dear NF devel:

         Have just currently  written a user library to implement 
iptables filter and NAT commands.
         Also have written a kernel module that hooks into the PREROUTE 
hook to intercept
packets and collect stats on the IP packet addresses that have been 
entered into iptables.
         Manager just came by and asked me if  Netfilter is above or 
below where IPSEC
resides.    Only know the minimal about IPSEC at this time.  I believe 
his concern is
that  say in tunnel mode,  an IPSEC IP header is built and the contents 
are encrypted and
if Netfilter is below  IPSEC  routing and statistics gathering won't work.
         From browsing the internet,  it appears with the correct 
"iptables NAT command"
that the packet routing will occur correctly.
         I also assume that  when I try to read the packets at the 
PREROUTE point that
it will be the decrypted packet and my statistics gathering will work.
        So far the documentation I have found is not clear on this.
        Could someone knowledgeable in this area please clearify.

                                                                   Thanks,
                                                                             
Jerry

RE: IPSec and Netfilter

[Greg Scott]

I will take a stab at it.  Not sure if this belongs in the developer
forum or not, but what do I know?

In the 2.4 kernels, you build a custom kernel with the Free S/WAN or
Strongswan stuff.  When you fire up ipsec, you create this pseudo device
called ipsec0.  (Really, ipsec"n", where "n" is some number that's
generally 0 unless you say otherwise.)  And then there's an ipsec.conf
file where you define all your tunnels and parameters.  See
http://www.strongsec.org for documentation.  

Anyway, now you have this ipsec virtual device, you can define iptables
rules as you see fit.  

You can also define iptables rules around any or all of the ipsec
protocols (AH, ESP, UDP 500) against the real interfaces.  

I haven't done this yet with a 2.6 kernel but my reading suggests the
ipsec stuff is built right into the mainline kernel now and all we need
are the user apps to manage encryption, tunnels, etc.

So is netfilter above or below ipsec?  I guess you could say netfilter
is more like a peer with ipsec.  You can apply iptables rules to the
virtual ipsec interfaces, or to the physical interfaces.  So instead of
one being "above" the other, I think of them in parallel.  

- Greg Scott


-----Original Message-----
From: netfilter-devel-bounces@lists.netfilter.org
[mailto:netfilter-devel-bounces@lists.netfilter.org] On Behalf Of Jerry
Alexander
Sent: Thursday, October 13, 2005 4:40 PM
To: netfilter-devel@lists.netfilter.org; Jerry
Subject: IPSec and Netfilter

Dear NF devel:

         Have just currently  written a user library to implement
iptables filter and NAT commands.
         Also have written a kernel module that hooks into the PREROUTE
hook to intercept packets and collect stats on the IP packet addresses
that have been entered into iptables.
         Manager just came by and asked me if  Netfilter is above or
below where IPSEC
resides.    Only know the minimal about IPSEC at this time.  I believe 
his concern is
that  say in tunnel mode,  an IPSEC IP header is built and the contents
are encrypted and if Netfilter is below  IPSEC  routing and statistics
gathering won't work.
         From browsing the internet,  it appears with the correct
"iptables NAT command"
that the packet routing will occur correctly.
         I also assume that  when I try to read the packets at the
PREROUTE point that it will be the decrypted packet and my statistics
gathering will work.
        So far the documentation I have found is not clear on this.
        Could someone knowledgeable in this area please clearify.

 
Thanks,
 

Jerry

ipsec and netfilter

[Joe Pruett]

i've asked this on the netfilter list with no responses and there doesn't 
seem to be an ipsec list for linux anymore, so maybe someone here will 
have some insight...

why aren't esp/ah packets run through netfilter again after 
decryption/decapsulation?  in tunnel mode, packets do get sent in again, 
but that is only because ip-ip does that, not the ipsec code.

i want to set up a host2host ipsec connection and be able to do standard 
filtering on it, but the hooks just don't seem to be there.  or am i 
missing something?

Re: ipsec and netfilter

[Herbert Xu]

Joe Pruett <joey@clean.q7.com> wrote:
>
> why aren't esp/ah packets run through netfilter again after 
> decryption/decapsulation?  in tunnel mode, packets do get sent in again, 
> but that is only because ip-ip does that, not the ipsec code.

They do go through netfilter again after decap in transport mode:

int xfrm4_transport_finish(struct sk_buff *skb, int async)
{
	struct iphdr *iph = ip_hdr(skb);

	iph->protocol = XFRM_MODE_SKB_CB(skb)->protocol;

#ifndef CONFIG_NETFILTER
	if (!async)
		return -iph->protocol;
#endif

	__skb_push(skb, skb->data - skb_network_header(skb));
	iph->tot_len = htons(skb->len);
	ip_send_check(iph);

	NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
		xfrm4_rcv_encap_finish);
	return 0;
}

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt