From: Patrick McHardy <kaber@trash.net>
To: Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>
Cc: netdev@vger.kernel.org, netfilter-devel@lists.netfilter.org,
herbert@gondor.apana.org.au
Subject: Re: [NF+IPsec 4/6]: Make IPsec input processing symetrical to output
Date: Tue, 01 Nov 2005 19:23:22 +0100 [thread overview]
Message-ID: <4367B29A.8050809@trash.net> (raw)
In-Reply-To: <200510310319.j9V3JHNl019752@toshiba.co.jp>
Yasuyuki KOZAKAI wrote:
>>Patrick McHardy wrote:
>>
>>>Herbert Xu wrote:
>>>
>>>>I presume that you will be changing the output path so that LOCAL_OUT
>>>>does not see the plain-text packet. Otherwise it'll be asymmetric with
>>>>repsect to the inbound side which does not see plain-text packets for
>>>>transport mode SAs.
>
> I support this way.
Hiding the packets from the hooks dependant on the xfrm_state is always
a problem with NAT, because when we do a second xfrm lookup after NAT
it is already to late to hide the packets.
>>>Yes, that was the idea. But since people seem to consider this an
>>>important case to handle I'm going to try the per-SA flag you
>>>proposed. I'll send new patches in the next days.
>
> I think pure transport mode is important, too. For example, for users of
> L2TP over IPsec.
>
> But I'm not sure that how many people wants to use netfilter hook together.
> At least, I don't need that. Because I can use IPsec policy instead of
> iptables rule and that's enough for me.
>
> I also think that it's the work for IPsec policy check to decide to
> accept or drop decrypted packets on input path of transport mode, that is
> not netfilter work.
I agree that its the job of policy checks, but its often simpler to
add a policy which includes just IP addresses and use iptables for
filtering. Connection state, TCP flags, ..., can't be handled using
policy checks, and netfilter might also be used for marking, TCP MSS
rewriting, proxy redirection, ...
> On the other hand, for the users who want to use local NAT and IPsec
> transport mode together, we might have to add netfilter hook to input
> path. But I'm not sure how many such users are. If nobody want, hooks
> we need are only LOCAL_OUT and POST_ROUTING on output path per tunnel.
Yes, we could add new hooks and duplicate the relevant code from the
IP input path. But I think just sending the packets through the stack
again is cleaner.
>>Unfortunately hiding the plain-text packets on output when transport
>>mode SAs are used and the flag is not set adds a new inconsistency
>>with NAT. In my last patchsets NAT was handled by redoing the policy
>>lookup when a packet was NATed at LOCAL_OUT or POST_ROUTING and wasn't
>>already transformed. If the new lookup yielded a policy
>>ip_dst_output/__ip_dst_output was called again. The hooks were always
>>called in the normal order. With a per-SA flag however we don't know
>>if the packet should be hidden before the second lookup is done, so
>>with NAT a packet that would usually be hidden might be visible
>>on LOCAL_OUT and POST_ROUTING, or just LOCAL_OUT. This also affects
>>ip_queue.
>
> Sorry, maybe I don't understand. per-SA flag means that packets go through
> netfilter hook before handling of its SA on output path ? Why it isn't
> 'after' ?
The idea was to usually hide transport mode packets on the output path
from netfilter hooks, unless a special flag in the xfrm_state is set.
On input the flag would make a packet decapsulated from a transport mode
SA through the stack again. But it has the same problem wrt. NAT I
described above as hiding unconditionally.
next prev parent reply other threads:[~2005-11-01 18:23 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-17 0:22 [NF+IPsec 4/6]: Make IPsec input processing symetrical to output Patrick McHardy
2005-10-17 0:49 ` YOSHIFUJI Hideaki / 吉藤英明
2005-10-17 1:24 ` Patrick McHardy
2005-10-17 1:46 ` Herbert Xu
2005-10-25 23:09 ` Patrick McHardy
2005-10-25 23:10 ` Herbert Xu
2005-10-25 23:14 ` Patrick McHardy
2005-10-26 0:39 ` Herbert Xu
2005-10-27 14:42 ` Patrick McHardy
2005-10-30 23:15 ` Patrick McHardy
2005-10-31 3:19 ` Yasuyuki KOZAKAI
2005-11-01 18:39 ` Stephen Frost
[not found] ` <200510310319.j9V3JHNl019752@toshiba.co.jp>
2005-11-01 18:23 ` Patrick McHardy [this message]
2005-10-26 4:39 ` James Morris
2005-10-26 7:37 ` Ingo Oeser
2005-10-26 13:37 ` Stephen Frost
2005-10-27 12:15 ` Herbert Xu
2005-10-27 14:57 ` YOSHIFUJI Hideaki / 吉藤英明
2005-10-27 16:58 ` Patrick McHardy
2005-11-05 6:30 ` Herbert Xu
2005-11-05 7:55 ` Patrick McHardy
2005-11-05 8:39 ` Herbert Xu
2005-11-05 8:58 ` Patrick McHardy
2005-11-05 9:09 ` Herbert Xu
2005-11-05 9:19 ` Patrick McHardy
2005-11-05 9:38 ` Herbert Xu
2005-11-05 9:55 ` Patrick McHardy
2005-11-05 10:01 ` Herbert Xu
2005-11-05 10:05 ` Patrick McHardy
2005-11-05 10:32 ` Yasuyuki KOZAKAI
[not found] ` <200511051032.jA5AWl2l000619@toshiba.co.jp>
2005-11-08 14:01 ` Patrick McHardy
2005-11-05 8:23 ` YOSHIFUJI Hideaki / 吉藤英明
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4367B29A.8050809@trash.net \
--to=kaber@trash.net \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@lists.netfilter.org \
--cc=yasuyuki.kozakai@toshiba.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).