From: Sergei Zhirikov <sfzhi@yahoo.com>
To: netfilter@vger.kernel.org
Subject: Re: question about esp and policy matching rule
Date: Mon, 19 Jul 2010 13:14:00 +0200 [thread overview]
Message-ID: <i21c1p$cl6$1@dough.gmane.org> (raw)
In-Reply-To: <OFC79F2599.5D7A2E5E-ON85257765.0011E584-86257765.0013332D@us.ibm.com>
On 2010-07-19 05:29, Richard Knight wrote:
>
> Hello,
>
> I don't fully understand the two rules below.
>
> Since each of the rules are get inserted at position 1 in the table the ESP
> rule ends up below the policy matching rule, will the ESP rule ever be
> checked?
>
> # allow all ipsec traffic into and out
> $IP6_TABLES -I INPUT 1 -i $EXIF -p esp -j ACCEPT
> $IP6_TABLES -I OUTPUT 1 -o $EXIF -p esp -j ACCEPT
> $IP6_TABLES -I INPUT 1 -i $EXIF -m policy --dir in --pol ipsec -j ACCEPT
> $IP6_TABLES -I OUTPUT 1 -o $EXIF -m policy --dir out --pol ipsec -j ACCEPT
>
> I have an application which does not seem to operate through my ipsec
> tunnel without both rules in place, I'm having trouble figuring out why.
>
The order of those rules does not matter. They have different purpose and match different packets.
With IPSec involved packets pass netfilter twice. For example, if you have an incoming ESP packet
that contains an UDP packet as payload the following happens.
1. The ESP packet passes netfilter and matches the line with "-I INPUT -p esp"
2. The packet is decrypted and its payload (the UDP packet in this example) is processed further
3. The UDP packet passes netfilter and matches the line with "-I INPUT -m policy ...".
In other words, "-m policy" applies to packets after IPSec decapsulation (or before encapsulation, for outgoing packets).
--
Sergei.
next prev parent reply other threads:[~2010-07-19 11:14 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-19 3:29 question about esp and policy matching rule Richard Knight
2010-07-19 11:14 ` Sergei Zhirikov [this message]
2010-07-20 16:56 ` ratheesh k
2010-07-21 13:46 ` Sergei Zhirikov
2010-07-21 13:55 ` Jan Engelhardt
2010-07-19 11:44 ` Jan Engelhardt
2010-07-19 13:34 ` Richard Knight
2010-07-19 16:06 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='i21c1p$cl6$1@dough.gmane.org' \
--to=sfzhi@yahoo.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.