Re: SNAT with ipsec => return packets not de-natted

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Jari Laurila <jari.laurila@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: SNAT with ipsec => return packets not de-natted
Date: Wed, 04 Nov 2009 13:27:21 +0100	[thread overview]
Message-ID: <4AF17329.7010506@trash.net> (raw)
In-Reply-To: <a906663d0911031105g1f8a8a27o67cf77ab5fe73e54@mail.gmail.com>

Jari Laurila wrote:
> On Tue, Nov 3, 2009 at 8:54 AM, Jari Laurila <jari.laurila@gmail.com> wrote:
>> Don't anyone have any clues for the problem I sent to the list on sunday?
>>
>> I find it really strange that decrypted packets coming from ipsec
>> tunnel with destination address xx.xx.xx.42 are sent through interface
>> ext1 even though ip -s route get xx.xx.xx.42 says that packet should
>> go through interface ext0b. Ipsec tunnel itself is going through
>> inteface ext1 but shouldn't packets get routed after they come from
>> tunnel? I even tried to look at kernel code to figure out why this
>> happens but I don't know enough about kernel and my c skills are a bit
>> lacking, so I couldn't find the cause.
>>
> 
> Update Netfilter sees packet at mangle table in PREROUTING chain (I
> added LOG rule), but nat table does not see the packet.
> 
> I also have fwd policy defined for the connection in question:
> 
> src srcip.srcip.srcip.secip/32 dst dstip.dstip.dstip.42/32
>         dir fwd priority 0
>         tmpl src gwip.gwip.gwip.gwip dst remgw.remgw.remgw.remgw
>                 proto esp reqid 0 mode tunnel

Try adding a TRACE rule to see how the packet traverses the netfilter
hooks.

next prev parent reply	other threads:[~2009-11-04 12:27 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-11-01 18:50 SNAT with ipsec => return packets not de-natted Jari Laurila
2009-11-03  6:54 ` Jari Laurila
2009-11-03 19:05   ` Jari Laurila
2009-11-04 12:27     ` Patrick McHardy [this message]
2009-11-05  6:44       ` Jari Laurila
2009-11-05 15:24         ` Jari Laurila

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4AF17329.7010506@trash.net \
    --to=kaber@trash.net \
    --cc=jari.laurila@gmail.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.