* xt_policy: output policy not valid in PRE_ROUTING and INPUT
@ 2007-08-06 11:22 Krzysztof Oledzki
2007-08-06 12:30 ` Patrick McHardy
0 siblings, 1 reply; 4+ messages in thread
From: Krzysztof Oledzki @ 2007-08-06 11:22 UTC (permalink / raw)
To: netfilter-devel
[-- Attachment #1: Type: TEXT/PLAIN, Size: 306 bytes --]
Hello,
Is there any reason why it is not possible to use "-m policy --dir out" in
PREROUTING? I tried to do something like:
-A PREROUTING -m policy --dir out --pol ipsec -j RETURN
-A PREROUTING -p tcp -i $IF_LANBR --dport 80 -j REDIRECT --to-ports 8088
Best regards,
Krzysztof Olędzki
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: xt_policy: output policy not valid in PRE_ROUTING and INPUT
2007-08-06 11:22 xt_policy: output policy not valid in PRE_ROUTING and INPUT Krzysztof Oledzki
@ 2007-08-06 12:30 ` Patrick McHardy
2007-08-06 12:41 ` Krzysztof Oledzki
0 siblings, 1 reply; 4+ messages in thread
From: Patrick McHardy @ 2007-08-06 12:30 UTC (permalink / raw)
To: Krzysztof Oledzki; +Cc: netfilter-devel
Krzysztof Oledzki wrote:
> Hello,
>
> Is there any reason why it is not possible to use "-m policy --dir out"
> in PREROUTING? I tried to do something like:
>
> -A PREROUTING -m policy --dir out --pol ipsec -j RETURN
> -A PREROUTING -p tcp -i $IF_LANBR --dport 80 -j REDIRECT --to-ports 8088
The IPsec policy is selected after routing, which is why can't
be used in PREROUTING.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: xt_policy: output policy not valid in PRE_ROUTING and INPUT
2007-08-06 12:30 ` Patrick McHardy
@ 2007-08-06 12:41 ` Krzysztof Oledzki
2007-08-06 12:44 ` Patrick McHardy
0 siblings, 1 reply; 4+ messages in thread
From: Krzysztof Oledzki @ 2007-08-06 12:41 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
[-- Attachment #1: Type: TEXT/PLAIN, Size: 701 bytes --]
On Mon, 6 Aug 2007, Patrick McHardy wrote:
> Krzysztof Oledzki wrote:
>> Hello,
>>
>> Is there any reason why it is not possible to use "-m policy --dir out"
>> in PREROUTING? I tried to do something like:
>>
>> -A PREROUTING -m policy --dir out --pol ipsec -j RETURN
>> -A PREROUTING -p tcp -i $IF_LANBR --dport 80 -j REDIRECT --to-ports 8088
>
>
> The IPsec policy is selected after routing, which is why can't
> be used in PREROUTING.
Is there any other solution than duplicating ipsec policies with "-A
PREROUTING -s (...) -d (...) -p (...) -j RETURN"? I would like to REDIRECT
only packets that are not going thru ipsec tunnels.
Best regards,
Krzysztof Olędzki
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: xt_policy: output policy not valid in PRE_ROUTING and INPUT
2007-08-06 12:41 ` Krzysztof Oledzki
@ 2007-08-06 12:44 ` Patrick McHardy
0 siblings, 0 replies; 4+ messages in thread
From: Patrick McHardy @ 2007-08-06 12:44 UTC (permalink / raw)
To: Krzysztof Oledzki; +Cc: netfilter-devel
Krzysztof Oledzki wrote:
> On Mon, 6 Aug 2007, Patrick McHardy wrote:
>
>> The IPsec policy is selected after routing, which is why can't
>> be used in PREROUTING.
>
>
> Is there any other solution than duplicating ipsec policies with "-A
> PREROUTING -s (...) -d (...) -p (...) -j RETURN"? I would like to
> REDIRECT only packets that are not going thru ipsec tunnels.
I can't think of one.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2007-08-06 12:44 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-08-06 11:22 xt_policy: output policy not valid in PRE_ROUTING and INPUT Krzysztof Oledzki
2007-08-06 12:30 ` Patrick McHardy
2007-08-06 12:41 ` Krzysztof Oledzki
2007-08-06 12:44 ` Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.