From: Andreas Jellinghaus <aj@dungeon.inka.de>
To: Harald Welte <laforge@netfilter.org>
Cc: netfilter-devel@lists.netfilter.org,
netfilter@lists.netfilter.org, netdev@oss.sgi.com
Subject: Re: port-based filtering of ESP packets with in-kernel IPsec?
Date: 30 Jul 2003 16:51:41 +0200 [thread overview]
Message-ID: <1059576701.4586.20.camel@simulacron> (raw)
In-Reply-To: <20030730142411.GD4553@sunbeam.de.gnumonks.org>
Hi,
if you are using ipsec from kernel 2.6.* there is no "ipsec0"
interface, and thus using netfilter isn't as easy as it was with
freeswan.
three ways to solve the problem, only tried the first one so far:
1.) configure ipsec in tunnel mode, add your tunnel ip to
the outgoing interface, change the default route to
set the source ip to the tunnel ip.
note: there is no routing step after encapsulating a packet
with ipsec, there was one with freeswan, so this is different.
2.) set a fwmark on an esp packet, it should be there after
unpacking/decryption. didn't try this one.
3.) do not use the build in tunneling. use an explicit ipip tunnel.
that way you have the interface, can use it in netfilter,
can route into it, and the interface will set the right
source address.
[netfilter]
incoming encrypted packets are seen as ESP/AH in INPUT
and then as decrypted packet in INPUT or FORWARD.
outgoing packets are only seen as ESP in OUTPUT.
> > Since ESP packets that reach the mangle INPUT chain are destined for a
> > local process, why not unencapsulate them just before that point?
INPUT only means the ESP will be decrypted/unecapsulated.
after that the decrypted packet will show up in INPUT or FORWARD.
> no. My preferred solution was something like adding a netfilter hook to
> the xfrm4 engine, exactly after decapsulation / decryption of one layer,
> i.e. after xfrm_type.input was called.
>
> iptables could then register the INPUT chain (or probably even a
> seperate POSTXFRM chain) in order to filter on the respective packets.
you can already filter incoming packets. The problem is you
don't know if they came in that way they look now, or if they
came in via ESP packets and got decrypted.
maybe decryption/unencapsulating could leave a mark on the
packet, so we know packets without that mark came in without
ipsec and are bad / attempts to access resources without ipsec?
(maybe fwmark works on that. or an explicit ipip tunnel, so you
have "ipip0" or something as incoming interface).
> Any comments are appreciated.
Regards, Andreas
next prev parent reply other threads:[~2003-07-30 14:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1059540296.16545.305.camel@k7.localnet>
2003-07-30 14:24 ` port-based filtering of ESP packets with in-kernel IPsec? Harald Welte
2003-07-30 14:51 ` Andreas Jellinghaus [this message]
2003-07-30 15:16 ` Harald Welte
2003-07-30 20:37 ` Dax Kelson
2003-07-30 22:51 ` Dax Kelson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1059576701.4586.20.camel@simulacron \
--to=aj@dungeon.inka.de \
--cc=laforge@netfilter.org \
--cc=netdev@oss.sgi.com \
--cc=netfilter-devel@lists.netfilter.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).