From mboxrd@z Thu Jan  1 00:00:00 1970
From: Patrick McHardy <kaber@trash.net>
Subject: Re: [netfilter-core] [NETFILTER] Apply IPsec to ipt_REJECT packets
Date: Tue, 23 Nov 2004 19:17:36 +0100
Message-ID: <41A37EC0.8010901@trash.net>
References: <20041123084225.GA3514@gondor.apana.org.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "David S. Miller" <davem@davemloft.net>, coreteam@netfilter.org,
        netdev@oss.sgi.com
Return-path: <netdev-bounce@oss.sgi.com>
To: Herbert Xu <herbert@gondor.apana.org.au>
In-Reply-To: <20041123084225.GA3514@gondor.apana.org.au>
Sender: netdev-bounce@oss.sgi.com
Errors-to: netdev-bounce@oss.sgi.com
List-Id: netdev.vger.kernel.org

Herbert Xu wrote:

>Hi:
>
>I found out today that packets generated by ipt_REJECT weren't protected
>by IPsec.  This is because the proto field isn't set at all in the flow
>supplied to ip_route_output_key.
>
>The following patch sets that as well as protocol-specific fields so
>that the appropriate IPsec policy can be applied.
>  
>

The patch doesn't handle tcp resets sent in response to a forwarded packet.
I'll send a patch later tonight.

Regards
Patrick