* new iptables policy match
@ 2006-01-11 16:17 Marco Berizzi
2006-01-12 4:07 ` Patrick McHardy
2006-01-12 9:41 ` Patrick McHardy
0 siblings, 2 replies; 19+ messages in thread
From: Marco Berizzi @ 2006-01-11 16:17 UTC (permalink / raw)
To: netfilter-devel
Hello.
I'm testing the new iptables policy match on a snapshot kernel
(2.6.15-git7).
This is my simple network diagram:
eth1 eth0 eth0
eth1
10.1.2.0/24===172.16.1.247..[ipsec tunnel]..172.16.1.226===10.1.1.0/24
-----2.6.15-git7 linux box----- --------2.4/KLIPS
box----------
I have setup a simple ipsec tunnel between the two linux boxes. So far, so
good.
I'm pinging from 10.1.2.1 (a system connected to the 10.1.2.0/24 net) to
10.1.1.1
(a system connected to the 10.1.1.0/24 net). This is iptables -L -v output:
root@Calimero:/tmp/RACOON# iptables -L -v
Chain INPUT (policy ACCEPT 70672 packets, 15M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
19 1140 ACCEPT all -- any any anywhere anywhere
policy match dir out pol ipsec strict [0] [1] [2] [3] mode
tunnel tunnel-dst 10.1.1.0/24 tunnel-src 10.1.2.0/24
0 0 DROP all -- any any anywhere anywhere
policy match dir in pol ipsec strict [0] [1] [2] [3] mode tunnel
tunnel-dst 10.1.2.0/24 tunnel-src 10.1.1.0/24
0 0 ACCEPT all -- any any 10.1.2.0/24
10.1.1.0/24
19 1140 ACCEPT all -- any any 10.1.1.0/24
10.1.2.0/24
Chain OUTPUT (policy ACCEPT 39941 packets, 7146K bytes)
pkts bytes target prot opt in out source
destination
As you can see the 2nd rule should drop ipsec packets but they aren't
dropped:
I'm getting back the echo reply packets from 10.1.1.1 to 10.1.2.1
Also the 3rd rule counter doesn't increment.
Deleting the 1st and 2nd rule counter are fine:
root@Calimero:/tmp/RACOON# iptables -L -v
Chain INPUT (policy ACCEPT 73891 packets, 15M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
66 3960 ACCEPT all -- any any 10.1.2.0/24
10.1.1.0/24
66 3960 ACCEPT all -- any any 10.1.1.0/24
10.1.2.0/24
Chain OUTPUT (policy ACCEPT 41881 packets, 7285K bytes)
pkts bytes target prot opt in out source
destination
I know that this patches are "work in progress" and my apologies if this is
a know problem, but I would like to know is this is a know issue.
PS: I'm using iptables v1.3.4-20060109 on Slackware 10.2
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: new iptables policy match
2006-01-11 16:17 Marco Berizzi
@ 2006-01-12 4:07 ` Patrick McHardy
2006-01-12 8:30 ` Marco Berizzi
2006-01-12 9:41 ` Patrick McHardy
1 sibling, 1 reply; 19+ messages in thread
From: Patrick McHardy @ 2006-01-12 4:07 UTC (permalink / raw)
To: Marco Berizzi; +Cc: netfilter-devel
Marco Berizzi wrote:
> Hello.
> I'm testing the new iptables policy match on a snapshot kernel
> (2.6.15-git7).
> This is my simple network diagram:
>
> eth1 eth0
> eth0 eth1
> 10.1.2.0/24===172.16.1.247..[ipsec tunnel]..172.16.1.226===10.1.1.0/24
> -----2.6.15-git7 linux box-----
> --------2.4/KLIPS box----------
>
> I have setup a simple ipsec tunnel between the two linux boxes. So far,
> so good.
> I'm pinging from 10.1.2.1 (a system connected to the 10.1.2.0/24 net) to
> 10.1.1.1
> (a system connected to the 10.1.1.0/24 net). This is iptables -L -v output:
>
> root@Calimero:/tmp/RACOON# iptables -L -v
> Chain INPUT (policy ACCEPT 70672 packets, 15M bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 19 1140 ACCEPT all -- any any anywhere
> anywhere policy match dir out pol ipsec strict [0] [1] [2]
> [3] mode tunnel tunnel-dst 10.1.1.0/24 tunnel-src 10.1.2.0/24
> 0 0 DROP all -- any any anywhere
> anywhere policy match dir in pol ipsec strict [0] [1] [2] [3]
> mode tunnel tunnel-dst 10.1.2.0/24 tunnel-src 10.1.1.0/24
How did you add these rules? It looks like you used "--next" multiple
times without specifying a policy element ..
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: new iptables policy match
2006-01-12 4:07 ` Patrick McHardy
@ 2006-01-12 8:30 ` Marco Berizzi
2006-01-12 8:43 ` Patrick McHardy
0 siblings, 1 reply; 19+ messages in thread
From: Marco Berizzi @ 2006-01-12 8:30 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Patrick McHardy wrote:
>Marco Berizzi wrote:
>>Hello.
>>I'm testing the new iptables policy match on a snapshot kernel
>>(2.6.15-git7).
>>This is my simple network diagram:
>>
>>eth1 eth0 eth0
>> eth1
>>10.1.2.0/24===172.16.1.247..[ipsec tunnel]..172.16.1.226===10.1.1.0/24
>>-----2.6.15-git7 linux box----- --------2.4/KLIPS
>>box----------
>>
>>I have setup a simple ipsec tunnel between the two linux boxes. So far, so
>>good.
>>I'm pinging from 10.1.2.1 (a system connected to the 10.1.2.0/24 net) to
>>10.1.1.1
>>(a system connected to the 10.1.1.0/24 net). This is iptables -L -v
>>output:
>>
>>root@Calimero:/tmp/RACOON# iptables -L -v
>>Chain INPUT (policy ACCEPT 70672 packets, 15M bytes)
>>pkts bytes target prot opt in out source
>>destination
>>
>>Chain FORWARD (policy DROP 0 packets, 0 bytes)
>>pkts bytes target prot opt in out source
>>destination
>> 19 1140 ACCEPT all -- any any anywhere
>>anywhere policy match dir out pol ipsec strict [0] [1] [2] [3]
>>mode tunnel tunnel-dst 10.1.1.0/24 tunnel-src 10.1.2.0/24
>> 0 0 DROP all -- any any anywhere
>>anywhere policy match dir in pol ipsec strict [0] [1] [2] [3]
>>mode tunnel tunnel-dst 10.1.2.0/24 tunnel-src 10.1.1.0/24
>
>How did you add these rules? It looks like you used "--next" multiple
>times without specifying a policy element ..
This is the command:
iptables -P FORWARD DROP
iptables -A FORWARD -m policy --next --dir out --next --pol ipsec --next
--mode tunnel
--tunnel-src 10.1.2.0/24 --tunnel-dst 10.1.1.0/24 --strict -j ACCEPT
iptables -A FORWARD -m policy --next --dir in --next --pol ipsec --next
--mode tunnel
--tunnel-dst 10.1.2.0/24 --tunnel-src 10.1.1.0/24 --strict -j DROP
Are they wrong?
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: new iptables policy match
2006-01-12 8:30 ` Marco Berizzi
@ 2006-01-12 8:43 ` Patrick McHardy
2006-01-12 10:38 ` Marco Berizzi
2006-01-20 15:54 ` Tom Eastep
0 siblings, 2 replies; 19+ messages in thread
From: Patrick McHardy @ 2006-01-12 8:43 UTC (permalink / raw)
To: Marco Berizzi; +Cc: netfilter-devel
Marco Berizzi wrote:
>
> Patrick McHardy wrote:
>
>>> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 19 1140 ACCEPT all -- any any anywhere
>>> anywhere policy match dir out pol ipsec strict [0] [1] [2]
>>> [3] mode tunnel tunnel-dst 10.1.1.0/24 tunnel-src 10.1.2.0/24
>>> 0 0 DROP all -- any any anywhere
>>> anywhere policy match dir in pol ipsec strict [0] [1] [2]
>>> [3] mode tunnel tunnel-dst 10.1.2.0/24 tunnel-src 10.1.1.0/24
>>
>>
>> How did you add these rules? It looks like you used "--next" multiple
>> times without specifying a policy element ..
>
>
> This is the command:
>
> iptables -P FORWARD DROP
> iptables -A FORWARD -m policy --next --dir out --next --pol ipsec --next
> --mode tunnel
> --tunnel-src 10.1.2.0/24 --tunnel-dst 10.1.1.0/24 --strict -j ACCEPT
> iptables -A FORWARD -m policy --next --dir in --next --pol ipsec --next
> --mode tunnel
> --tunnel-dst 10.1.2.0/24 --tunnel-src 10.1.1.0/24 --strict -j DROP
>
> Are they wrong?
Yes, --next is needed only if your policy has multiple elements, like
"--mode tunnel --tunnel-src 1.2.3.4/32 --next --mode transform". I'll
fix up the userspace part to reject this incorrect use.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: new iptables policy match
2006-01-11 16:17 Marco Berizzi
2006-01-12 4:07 ` Patrick McHardy
@ 2006-01-12 9:41 ` Patrick McHardy
1 sibling, 0 replies; 19+ messages in thread
From: Patrick McHardy @ 2006-01-12 9:41 UTC (permalink / raw)
To: Marco Berizzi; +Cc: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 795 bytes --]
Marco Berizzi wrote:
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 19 1140 ACCEPT all -- any any anywhere
> anywhere policy match dir out pol ipsec strict [0] [1] [2]
> [3] mode tunnel tunnel-dst 10.1.1.0/24 tunnel-src 10.1.2.0/24
> 0 0 DROP all -- any any anywhere
> anywhere policy match dir in pol ipsec strict [0] [1] [2] [3]
> mode tunnel tunnel-dst 10.1.2.0/24 tunnel-src 10.1.1.0/24
There was actually a real problem, the first rule should never have
matched because its length doesn't match the number of used transforms.
I've fixed it with this patch (and added the additional checks to
the userspace part).
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 1305 bytes --]
[NETFILTER]: Check policy length in policy match strict mode
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit d98b092ef1a291d2fd31cbf1152bd16cca2e925d
tree bceb1f3d982e680b9ab3eb02e04e07a401bcd5db
parent a4fc7ab1d065a9dd89ed0e74439ef87d4a16e980
author Patrick McHardy <kaber@trash.net> Thu, 12 Jan 2006 10:38:26 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 12 Jan 2006 10:38:26 +0100
net/ipv4/netfilter/ipt_policy.c | 2 +-
net/ipv6/netfilter/ip6t_policy.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_policy.c b/net/ipv4/netfilter/ipt_policy.c
index 709debc..8d1111e 100644
--- a/net/ipv4/netfilter/ipt_policy.c
+++ b/net/ipv4/netfilter/ipt_policy.c
@@ -89,7 +89,7 @@ match_policy_out(const struct sk_buff *s
return 0;
}
- return strict ? 1 : 0;
+ return strict ? i == info->len : 0;
}
static int match(const struct sk_buff *skb,
diff --git a/net/ipv6/netfilter/ip6t_policy.c b/net/ipv6/netfilter/ip6t_policy.c
index 13fedad..33bd60e 100644
--- a/net/ipv6/netfilter/ip6t_policy.c
+++ b/net/ipv6/netfilter/ip6t_policy.c
@@ -91,7 +91,7 @@ match_policy_out(const struct sk_buff *s
return 0;
}
- return strict ? 1 : 0;
+ return strict ? i == info->len : 0;
}
static int match(const struct sk_buff *skb,
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: new iptables policy match
2006-01-12 8:43 ` Patrick McHardy
@ 2006-01-12 10:38 ` Marco Berizzi
2006-01-12 10:42 ` Patrick McHardy
2006-01-20 15:54 ` Tom Eastep
1 sibling, 1 reply; 19+ messages in thread
From: Marco Berizzi @ 2006-01-12 10:38 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Patrick McHardy wrote:
>Marco Berizzi wrote:
>>
>>Patrick McHardy wrote:
>>
>>>>Chain FORWARD (policy DROP 0 packets, 0 bytes)
>>>>pkts bytes target prot opt in out source
>>>>destination
>>>> 19 1140 ACCEPT all -- any any anywhere
>>>>anywhere policy match dir out pol ipsec strict [0] [1] [2]
>>>>[3] mode tunnel tunnel-dst 10.1.1.0/24 tunnel-src 10.1.2.0/24
>>>> 0 0 DROP all -- any any anywhere
>>>>anywhere policy match dir in pol ipsec strict [0] [1] [2] [3]
>>>>mode tunnel tunnel-dst 10.1.2.0/24 tunnel-src 10.1.1.0/24
>>>
>>>
>>>How did you add these rules? It looks like you used "--next" multiple
>>>times without specifying a policy element ..
>>
>>
>>This is the command:
>>
>>iptables -P FORWARD DROP
>>iptables -A FORWARD -m policy --next --dir out --next --pol ipsec --next
>>--mode tunnel
>>--tunnel-src 10.1.2.0/24 --tunnel-dst 10.1.1.0/24 --strict -j ACCEPT
>>iptables -A FORWARD -m policy --next --dir in --next --pol ipsec --next
>>--mode tunnel
>>--tunnel-dst 10.1.2.0/24 --tunnel-src 10.1.1.0/24 --strict -j DROP
>>
>>Are they wrong?
>
>Yes, --next is needed only if your policy has multiple elements, like
>"--mode tunnel --tunnel-src 1.2.3.4/32 --next --mode transform". I'll
>fix up the userspace part to reject this incorrect use.
Ok, my fault sorry. Here is my corrected (I hope) iptables rules:
iptables -P FORWARD DROP
iptables -F
iptables -A FORWARD -m policy --dir out --pol ipsec --mode tunnel
--tunnel-src 10.1.2.0/24 --tunnel-dst 10.1.1.0/24 -j DROP
iptables -A FORWARD -m policy --dir in --pol ipsec --mode tunnel
--tunnel-dst 10.1.2.0/24 --tunnel-src 10.1.1.0/24 -j DROP
iptables -A FORWARD -m policy --dir in --pol ipsec --mode tunnel
--tunnel-src 10.1.2.0/24 --tunnel-dst 10.1.1.0/24 -j DROP
iptables -A FORWARD -m policy --dir out --pol ipsec --mode tunnel
--tunnel-dst 10.1.2.0/24 --tunnel-src 10.1.1.0/24 -j DROP
iptables -A FORWARD -s 10.1.2.0/24 -d 10.1.1.10/24 -j ACCEPT
iptables -A FORWARD -d 10.1.2.0/24 -s 10.1.1.10/24 -j ACCEPT
iptables -L -v output:
root@Calimero:/tmp/RACOON# iptables -L -v
Chain INPUT (policy ACCEPT 11574 packets, 2434K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- any any anywhere anywhere
policy match dir out pol ipsec mode tunnel tunnel-dst
10.1.1.0/24 tunnel-src 10.1.2.0/24
0 0 DROP all -- any any anywhere anywhere
policy match dir in pol ipsec mode tunnel tunnel-dst 10.1.2.0/24
tunnel-src 10.1.1.0/24
0 0 DROP all -- any any anywhere anywhere
policy match dir in pol ipsec mode tunnel tunnel-dst 10.1.1.0/24
tunnel-src 10.1.2.0/24
0 0 DROP all -- any any anywhere anywhere
policy match dir out pol ipsec mode tunnel tunnel-dst
10.1.2.0/24 tunnel-src 10.1.1.0/24
1074 64440 ACCEPT all -- any any 10.1.2.0/24
10.1.1.0/24
1074 64440 ACCEPT all -- any any 10.1.1.0/24
10.1.2.0/24
Chain OUTPUT (policy ACCEPT 5983 packets, 933K bytes)
pkts bytes target prot opt in out source
destination
Ipsec policy match are never matched: I can ping-pong from-to both sites.
I'm not understand what is wrong.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: new iptables policy match
2006-01-12 10:38 ` Marco Berizzi
@ 2006-01-12 10:42 ` Patrick McHardy
2006-01-12 10:48 ` Marco Berizzi
0 siblings, 1 reply; 19+ messages in thread
From: Patrick McHardy @ 2006-01-12 10:42 UTC (permalink / raw)
To: Marco Berizzi; +Cc: netfilter-devel
Marco Berizzi wrote:
> Ok, my fault sorry. Here is my corrected (I hope) iptables rules:
>
> iptables -P FORWARD DROP
> iptables -F
>
> iptables -A FORWARD -m policy --dir out --pol ipsec --mode tunnel
> --tunnel-src 10.1.2.0/24 --tunnel-dst 10.1.1.0/24 -j DROP
> iptables -A FORWARD -m policy --dir in --pol ipsec --mode tunnel
> --tunnel-dst 10.1.2.0/24 --tunnel-src 10.1.1.0/24 -j DROP
>
> iptables -A FORWARD -m policy --dir in --pol ipsec --mode tunnel
> --tunnel-src 10.1.2.0/24 --tunnel-dst 10.1.1.0/24 -j DROP
> iptables -A FORWARD -m policy --dir out --pol ipsec --mode tunnel
> --tunnel-dst 10.1.2.0/24 --tunnel-src 10.1.1.0/24 -j DROP
>
>
> iptables -A FORWARD -s 10.1.2.0/24 -d 10.1.1.10/24 -j ACCEPT
> iptables -A FORWARD -d 10.1.2.0/24 -s 10.1.1.10/24 -j ACCEPT
>
> iptables -L -v output:
>
> root@Calimero:/tmp/RACOON# iptables -L -v
> Chain INPUT (policy ACCEPT 11574 packets, 2434K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 DROP all -- any any anywhere
> anywhere policy match dir out pol ipsec mode tunnel
> tunnel-dst 10.1.1.0/24 tunnel-src 10.1.2.0/24
> 0 0 DROP all -- any any anywhere
> anywhere policy match dir in pol ipsec mode tunnel tunnel-dst
> 10.1.2.0/24 tunnel-src 10.1.1.0/24
> 0 0 DROP all -- any any anywhere
> anywhere policy match dir in pol ipsec mode tunnel tunnel-dst
> 10.1.1.0/24 tunnel-src 10.1.2.0/24
> 0 0 DROP all -- any any anywhere
> anywhere policy match dir out pol ipsec mode tunnel
> tunnel-dst 10.1.2.0/24 tunnel-src 10.1.1.0/24
> 1074 64440 ACCEPT all -- any any 10.1.2.0/24
> 10.1.1.0/24
> 1074 64440 ACCEPT all -- any any 10.1.1.0/24
> 10.1.2.0/24
>
> Chain OUTPUT (policy ACCEPT 5983 packets, 933K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Ipsec policy match are never matched: I can ping-pong from-to both sites.
> I'm not understand what is wrong.
What does "ip xfrm policy" show?
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: new iptables policy match
2006-01-12 10:42 ` Patrick McHardy
@ 2006-01-12 10:48 ` Marco Berizzi
2006-01-12 10:53 ` Patrick McHardy
0 siblings, 1 reply; 19+ messages in thread
From: Marco Berizzi @ 2006-01-12 10:48 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Patrick McHardy wrote:
>Marco Berizzi wrote:
>
>>Ok, my fault sorry. Here is my corrected (I hope) iptables rules:
>>
>>iptables -P FORWARD DROP
>>iptables -F
>>
>>iptables -A FORWARD -m policy --dir out --pol ipsec --mode tunnel
>>--tunnel-src 10.1.2.0/24 --tunnel-dst 10.1.1.0/24 -j DROP
>>iptables -A FORWARD -m policy --dir in --pol ipsec --mode tunnel
>>--tunnel-dst 10.1.2.0/24 --tunnel-src 10.1.1.0/24 -j DROP
>>
>>iptables -A FORWARD -m policy --dir in --pol ipsec --mode tunnel
>>--tunnel-src 10.1.2.0/24 --tunnel-dst 10.1.1.0/24 -j DROP
>>iptables -A FORWARD -m policy --dir out --pol ipsec --mode tunnel
>>--tunnel-dst 10.1.2.0/24 --tunnel-src 10.1.1.0/24 -j DROP
>>
>>
>>iptables -A FORWARD -s 10.1.2.0/24 -d 10.1.1.10/24 -j ACCEPT
>>iptables -A FORWARD -d 10.1.2.0/24 -s 10.1.1.10/24 -j ACCEPT
>>
>>iptables -L -v output:
>>
>>root@Calimero:/tmp/RACOON# iptables -L -v
>>Chain INPUT (policy ACCEPT 11574 packets, 2434K bytes)
>>pkts bytes target prot opt in out source
>>destination
>>
>>Chain FORWARD (policy DROP 0 packets, 0 bytes)
>>pkts bytes target prot opt in out source
>>destination
>> 0 0 DROP all -- any any anywhere
>>anywhere policy match dir out pol ipsec mode tunnel tunnel-dst
>>10.1.1.0/24 tunnel-src 10.1.2.0/24
>> 0 0 DROP all -- any any anywhere
>>anywhere policy match dir in pol ipsec mode tunnel tunnel-dst
>>10.1.2.0/24 tunnel-src 10.1.1.0/24
>> 0 0 DROP all -- any any anywhere
>>anywhere policy match dir in pol ipsec mode tunnel tunnel-dst
>>10.1.1.0/24 tunnel-src 10.1.2.0/24
>> 0 0 DROP all -- any any anywhere
>>anywhere policy match dir out pol ipsec mode tunnel tunnel-dst
>>10.1.2.0/24 tunnel-src 10.1.1.0/24
>>1074 64440 ACCEPT all -- any any 10.1.2.0/24
>>10.1.1.0/24
>>1074 64440 ACCEPT all -- any any 10.1.1.0/24
>>10.1.2.0/24
>>
>>Chain OUTPUT (policy ACCEPT 5983 packets, 933K bytes)
>>pkts bytes target prot opt in out source
>>destination
>>
>>Ipsec policy match are never matched: I can ping-pong from-to both sites.
>>I'm not understand what is wrong.
>
>What does "ip xfrm policy" show?
root@Calimero:/usr/src/linux-2.6.15/net/ipv4/netfilter# ip xfrm policy
src 10.1.1.0/24 dst 10.1.2.0/24
dir in priority 2344
tmpl src 172.16.1.226 dst 172.16.1.247
proto comp reqid 16386 mode tunnel
level use
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16385 mode transport
src 10.1.2.0/24 dst 10.1.1.0/24
dir out priority 2344
tmpl src 172.16.1.247 dst 172.16.1.226
proto comp reqid 16386 mode tunnel
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16385 mode transport
src 10.1.1.0/24 dst 10.1.2.0/24
dir fwd priority 2344
tmpl src 172.16.1.226 dst 172.16.1.247
proto comp reqid 16386 mode tunnel
level use
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16385 mode transport
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: new iptables policy match
2006-01-12 10:48 ` Marco Berizzi
@ 2006-01-12 10:53 ` Patrick McHardy
2006-01-12 11:23 ` Marco Berizzi
0 siblings, 1 reply; 19+ messages in thread
From: Patrick McHardy @ 2006-01-12 10:53 UTC (permalink / raw)
To: Marco Berizzi; +Cc: netfilter-devel
Marco Berizzi wrote:
>
> Patrick McHardy wrote:
>
>> Marco Berizzi wrote:
>>
>>> Ok, my fault sorry. Here is my corrected (I hope) iptables rules:
>>>
>>> iptables -P FORWARD DROP
>>> iptables -F
>>>
>>> iptables -A FORWARD -m policy --dir out --pol ipsec --mode tunnel
>>> --tunnel-src 10.1.2.0/24 --tunnel-dst 10.1.1.0/24 -j DROP
>>> iptables -A FORWARD -m policy --dir in --pol ipsec --mode tunnel
>>> --tunnel-dst 10.1.2.0/24 --tunnel-src 10.1.1.0/24 -j DROP
>>>
>>> iptables -A FORWARD -m policy --dir in --pol ipsec --mode tunnel
>>> --tunnel-src 10.1.2.0/24 --tunnel-dst 10.1.1.0/24 -j DROP
>>> iptables -A FORWARD -m policy --dir out --pol ipsec --mode tunnel
>>> --tunnel-dst 10.1.2.0/24 --tunnel-src 10.1.1.0/24 -j DROP
>>>
> root@Calimero:/usr/src/linux-2.6.15/net/ipv4/netfilter# ip xfrm policy
> src 10.1.1.0/24 dst 10.1.2.0/24
> dir in priority 2344
> tmpl src 172.16.1.226 dst 172.16.1.247
These are the addresses you need to use for --tunnel-src/dst, not the
outer addresses. Those can be match with -s and -d are usual.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: new iptables policy match
2006-01-12 10:53 ` Patrick McHardy
@ 2006-01-12 11:23 ` Marco Berizzi
2006-01-12 12:33 ` Patrick McHardy
0 siblings, 1 reply; 19+ messages in thread
From: Marco Berizzi @ 2006-01-12 11:23 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Patrick McHardy wrote:
>Marco Berizzi wrote:
>>
>>Patrick McHardy wrote:
>>
>>>Marco Berizzi wrote:
>>>
>>>>Ok, my fault sorry. Here is my corrected (I hope) iptables rules:
>>>>
>>>>iptables -P FORWARD DROP
>>>>iptables -F
>>>>
>>>>iptables -A FORWARD -m policy --dir out --pol ipsec --mode tunnel
>>>>--tunnel-src 10.1.2.0/24 --tunnel-dst 10.1.1.0/24 -j DROP
>>>>iptables -A FORWARD -m policy --dir in --pol ipsec --mode tunnel
>>>>--tunnel-dst 10.1.2.0/24 --tunnel-src 10.1.1.0/24 -j DROP
>>>>
>>>>iptables -A FORWARD -m policy --dir in --pol ipsec --mode tunnel
>>>>--tunnel-src 10.1.2.0/24 --tunnel-dst 10.1.1.0/24 -j DROP
>>>>iptables -A FORWARD -m policy --dir out --pol ipsec --mode tunnel
>>>>--tunnel-dst 10.1.2.0/24 --tunnel-src 10.1.1.0/24 -j DROP
>>>>
>>root@Calimero:/usr/src/linux-2.6.15/net/ipv4/netfilter# ip xfrm policy
>>src 10.1.1.0/24 dst 10.1.2.0/24
>> dir in priority 2344
>> tmpl src 172.16.1.226 dst 172.16.1.247
>
>These are the addresses you need to use for --tunnel-src/dst, not the
>outer addresses. Those can be match with -s and -d are usual.
Aha! ;-)) It's working. Thanks a lot. Perhaps _IMHO_ this should be
clarified in iptables man page. After all --tunnel-src/dst are the two
IPsec endpoint addresses. Right?
Thanks again and sorry for wasting your time.
Ciao.
PS: I'm compiling right now 2.6.15-git8 with your latest patch: Check
policy length in policy match strict mode.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: new iptables policy match
2006-01-12 11:23 ` Marco Berizzi
@ 2006-01-12 12:33 ` Patrick McHardy
2006-01-12 14:37 ` Marco Berizzi
0 siblings, 1 reply; 19+ messages in thread
From: Patrick McHardy @ 2006-01-12 12:33 UTC (permalink / raw)
To: Marco Berizzi; +Cc: netfilter-devel
Marco Berizzi wrote:
>
> Patrick McHardy wrote:
>
>> These are the addresses you need to use for --tunnel-src/dst, not the
>> outer addresses. Those can be match with -s and -d are usual.
>
>
> Aha! ;-)) It's working. Thanks a lot. Perhaps _IMHO_ this should be
> clarified in iptables man page. After all --tunnel-src/dst are the two
> IPsec endpoint addresses. Right?
Yes. I don't see how it could be made any clearer, but feel free to
send a suggestion :)
--tunnel-src addr[/mask]
Matches the source address of a tunnel. Only valid with
--mode tunnel.
--tunnel-dst addr[/mask]
Matches the destination address of a tunnel. Only valid
with --mode tunnel.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: new iptables policy match
2006-01-12 12:33 ` Patrick McHardy
@ 2006-01-12 14:37 ` Marco Berizzi
2006-01-12 16:31 ` Patrick McHardy
0 siblings, 1 reply; 19+ messages in thread
From: Marco Berizzi @ 2006-01-12 14:37 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Patrick McHardy wrote:
>Marco Berizzi wrote:
>>
>>Patrick McHardy wrote:
>>
>>>These are the addresses you need to use for --tunnel-src/dst, not the
>>>outer addresses. Those can be match with -s and -d are usual.
>>
>>
>>Aha! ;-)) It's working. Thanks a lot. Perhaps _IMHO_ this should be
>>clarified in iptables man page. After all --tunnel-src/dst are the two
>>IPsec endpoint addresses. Right?
>
>Yes. I don't see how it could be made any clearer, but feel free to
>send a suggestion :)
>
> --tunnel-src addr[/mask]
> Matches the source address of a tunnel. Only valid with
>--mode tunnel.
>
> --tunnel-dst addr[/mask]
> Matches the destination address of a tunnel. Only valid with
>--mode tunnel.
Ok. Here is my suggestion:
--tunnel-src addr[/mask]
matches the source end-point address of the SA. Only valid
with --mode tunnel
--tunnel-dst addr[/mask]
matches the destination end-point address of the SA. Only valid
with --mode tunnel
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: new iptables policy match
2006-01-12 14:37 ` Marco Berizzi
@ 2006-01-12 16:31 ` Patrick McHardy
0 siblings, 0 replies; 19+ messages in thread
From: Patrick McHardy @ 2006-01-12 16:31 UTC (permalink / raw)
To: Marco Berizzi; +Cc: netfilter-devel
Marco Berizzi wrote:
> Ok. Here is my suggestion:
>
> --tunnel-src addr[/mask]
> matches the source end-point address of the SA. Only valid
> with --mode tunnel
>
> --tunnel-dst addr[/mask]
> matches the destination end-point address of the SA. Only valid
> with --mode tunnel
Thanks, I've updated the man-page.
^ permalink raw reply [flat|nested] 19+ messages in thread
* RE: new iptables policy match
@ 2006-01-12 17:59 Greg Scott
2006-01-13 7:01 ` Patrick McHardy
0 siblings, 1 reply; 19+ messages in thread
From: Greg Scott @ 2006-01-12 17:59 UTC (permalink / raw)
To: Patrick McHardy, Marco Berizzi; +Cc: netfilter-devel
Just to be completely anal because I'm just a skinny
bald guy from Minnesota - is this ASCII art right?
If this is right, maybe this would make the man page
even clearer. Of course, if it's wrong, that means
I still don't get it.
LAN FW Internet FW LAN
<----+----+----------+----+----->
| | | |
Private Public Public Private
IP IP IP IP
Tunnel SA SA Tunnel
endpoint endpoint
- Greg Scott
-----Original Message-----
From: netfilter-devel-bounces@lists.netfilter.org
[mailto:netfilter-devel-bounces@lists.netfilter.org] On Behalf Of
Patrick McHardy
Sent: Thursday, January 12, 2006 10:31 AM
To: Marco Berizzi
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: new iptables policy match
Marco Berizzi wrote:
> Ok. Here is my suggestion:
>
> --tunnel-src addr[/mask]
> matches the source end-point address of the SA. Only valid with --mode
> tunnel
>
> --tunnel-dst addr[/mask]
> matches the destination end-point address of the SA. Only valid with
> --mode tunnel
Thanks, I've updated the man-page.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: new iptables policy match
2006-01-12 17:59 Greg Scott
@ 2006-01-13 7:01 ` Patrick McHardy
0 siblings, 0 replies; 19+ messages in thread
From: Patrick McHardy @ 2006-01-13 7:01 UTC (permalink / raw)
To: Greg Scott; +Cc: netfilter-devel, Marco Berizzi
Greg Scott wrote:
> Just to be completely anal because I'm just a skinny
> bald guy from Minnesota - is this ASCII art right?
> If this is right, maybe this would make the man page
> even clearer. Of course, if it's wrong, that means
> I still don't get it.
>
>
> LAN FW Internet FW LAN
> <----+----+----------+----+----->
> | | | |
> Private Public Public Private
> IP IP IP IP
>
> Tunnel SA SA Tunnel
> endpoint endpoint
No, the tunnel endpoints are the hosts using the tunnel-mode SA,
so in this case both firewalls.
^ permalink raw reply [flat|nested] 19+ messages in thread
* RE: new iptables policy match
@ 2006-01-13 21:18 Greg Scott
2006-01-14 16:22 ` Patrick McHardy
0 siblings, 1 reply; 19+ messages in thread
From: Greg Scott @ 2006-01-13 21:18 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel, Marco Berizzi
> No, the tunnel endpoints are the hosts using the
> tunnel-mode SA, so in this case both firewalls.
OK, so now I'm confused. And admittedly, IPSEC has made
me crazy for several years. Which NICs on the firewalls
are the endpoints? Is this picture better and more accurate?
LAN Internet LAN
<----+--FW---+-------------+--FW---+----->
| | | |
NIC with NIC with NIC with NIC with
private public public private
IP IP <---------> IP IP
SA
Tunnel Tunnel
endpoint endpoint
So the public NICs are the tunnel endpoints?
- Greg
-----Original Message-----
From: Patrick McHardy [mailto:kaber@trash.net]
Sent: Friday, January 13, 2006 1:02 AM
To: Greg Scott
Cc: Marco Berizzi; netfilter-devel@lists.netfilter.org
Subject: Re: new iptables policy match
Greg Scott wrote:
> Just to be completely anal because I'm just a skinny
> bald guy from Minnesota - is this ASCII art right?
> If this is right, maybe this would make the man page
> even clearer. Of course, if it's wrong, that means
> I still don't get it.
>
>
> LAN FW Internet FW LAN
> <----+----+----------+----+----->
> | | | |
> Private Public Public Private
> IP IP IP IP
>
> Tunnel SA SA Tunnel
> endpoint endpoint
No, the tunnel endpoints are the hosts using the tunnel-mode SA, so in
this case both firewalls.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: new iptables policy match
2006-01-13 21:18 new iptables policy match Greg Scott
@ 2006-01-14 16:22 ` Patrick McHardy
0 siblings, 0 replies; 19+ messages in thread
From: Patrick McHardy @ 2006-01-14 16:22 UTC (permalink / raw)
To: Greg Scott; +Cc: netfilter-devel, Marco Berizzi
Greg Scott wrote:
>>No, the tunnel endpoints are the hosts using the
>>tunnel-mode SA, so in this case both firewalls.
>
>
> OK, so now I'm confused. And admittedly, IPSEC has made
> me crazy for several years. Which NICs on the firewalls
> are the endpoints? Is this picture better and more accurate?
>
>
> LAN Internet LAN
> <----+--FW---+-------------+--FW---+----->
> | | | |
> NIC with NIC with NIC with NIC with
> private public public private
> IP IP <---------> IP IP
> SA
> Tunnel Tunnel
> endpoint endpoint
>
> So the public NICs are the tunnel endpoints?
Yes. Its very simple, the endpoints are the addresses you specify
in the policy in the tunnel section (x.x.x.x and y.y.y.y):
spdadd net/mask net/mask any ipsec out
tunnel/x.x.x.x-y.y.y.y/require;
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: new iptables policy match
2006-01-12 8:43 ` Patrick McHardy
2006-01-12 10:38 ` Marco Berizzi
@ 2006-01-20 15:54 ` Tom Eastep
2006-01-22 13:38 ` Patrick McHardy
1 sibling, 1 reply; 19+ messages in thread
From: Tom Eastep @ 2006-01-20 15:54 UTC (permalink / raw)
To: netfilter-devel; +Cc: Patrick McHardy
[-- Attachment #1: Type: text/plain, Size: 1077 bytes --]
On Thursday 12 January 2006 00:43, Patrick McHardy wrote:
>
> Yes, --next is needed only if your policy has multiple elements, like
> "--mode tunnel --tunnel-src 1.2.3.4/32 --next --mode transform". I'll
> fix up the userspace part to reject this incorrect use.
The second of those patches (Revision 6395 -- Move empty policy element check
to also catch last element) has broken compatibility with previous versions
of policy match.
Previously, the following command succeeded and matched any traffic that is to
be subsequently transformed:
gw:~ # iptables -A foo -m policy --pol ipsec --dir out -j ACCEPT
iptables v1.3.4: policy match: empty policy element
Try `iptables -h' or 'iptables --help' for more information.
gw:~ #
Is this incompatibility intentional? If so, I need to change Shorewall
accordingly.
Thanks,
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: new iptables policy match
2006-01-20 15:54 ` Tom Eastep
@ 2006-01-22 13:38 ` Patrick McHardy
0 siblings, 0 replies; 19+ messages in thread
From: Patrick McHardy @ 2006-01-22 13:38 UTC (permalink / raw)
To: Tom Eastep; +Cc: netfilter-devel
Tom Eastep wrote:
> On Thursday 12 January 2006 00:43, Patrick McHardy wrote:
>
>
>>Yes, --next is needed only if your policy has multiple elements, like
>>"--mode tunnel --tunnel-src 1.2.3.4/32 --next --mode transform". I'll
>>fix up the userspace part to reject this incorrect use.
>
>
> The second of those patches (Revision 6395 -- Move empty policy element check
> to also catch last element) has broken compatibility with previous versions
> of policy match.
>
> Previously, the following command succeeded and matched any traffic that is to
> be subsequently transformed:
>
> gw:~ # iptables -A foo -m policy --pol ipsec --dir out -j ACCEPT
> iptables v1.3.4: policy match: empty policy element
> Try `iptables -h' or 'iptables --help' for more information.
> gw:~ #
>
> Is this incompatibility intentional? If so, I need to change Shorewall
> accordingly.
Its a bug, thanks for catching this. I've fixed it up in SVN.
^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2006-01-22 13:38 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-01-13 21:18 new iptables policy match Greg Scott
2006-01-14 16:22 ` Patrick McHardy
-- strict thread matches above, loose matches on Subject: below --
2006-01-12 17:59 Greg Scott
2006-01-13 7:01 ` Patrick McHardy
2006-01-11 16:17 Marco Berizzi
2006-01-12 4:07 ` Patrick McHardy
2006-01-12 8:30 ` Marco Berizzi
2006-01-12 8:43 ` Patrick McHardy
2006-01-12 10:38 ` Marco Berizzi
2006-01-12 10:42 ` Patrick McHardy
2006-01-12 10:48 ` Marco Berizzi
2006-01-12 10:53 ` Patrick McHardy
2006-01-12 11:23 ` Marco Berizzi
2006-01-12 12:33 ` Patrick McHardy
2006-01-12 14:37 ` Marco Berizzi
2006-01-12 16:31 ` Patrick McHardy
2006-01-20 15:54 ` Tom Eastep
2006-01-22 13:38 ` Patrick McHardy
2006-01-12 9:41 ` Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.