From: Patrick McHardy <kaber@trash.net>
To: Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>
Cc: netdev@vger.kernel.org, netfilter-devel@lists.netfilter.org,
herbert@gondor.apana.org.au
Subject: Re: [NF+IPsec 4/6]: Make IPsec input processing symetrical to output
Date: Tue, 08 Nov 2005 15:01:43 +0100 [thread overview]
Message-ID: <4370AFC7.2040701@trash.net> (raw)
In-Reply-To: <200511051032.jA5AWl2l000619@toshiba.co.jp>
Yasuyuki KOZAKAI wrote:
> I try to comment based on discussion with Yoshifuji-san and Miyazawa-san.
>
> We think it's confusing for user to mix decrypted packets and pre-decrypted
> ones to same hook. For example, if user want to accept packets encrypted by
> transport mode ESP and drop others, he will do "iptables -A INPUT -p esp -j
> ACCEPT" and "iptables -P INPUT DROP". But decrypted packets will be dropped
> because of the 2nd command. Of cause the match module 'policy' will be helpful
> in such case, but it's simple if he can different name of hook with INPUT.
>
> And, in logical, the hook for decrypted packet and the one for pre-decrypted
> packet is different like the current LOCAL_IN and LOCAL_OUT. Their place and
> the packets they can see, are different.
I disagree. LOCAL_IN is for locally delivered packets, and both the
decrypted and the encrypted packet are delivered locally. This is
true for tunnel mode, handling transport mode the same way seem
consistent, not confusing to me. This is also the way klips has
done it for ages and users are used to this and are actually asking
for exactly this behaviour.
> This can be said about output path. The hook for encrypted packet and the one
> for pre-encrypted packet is different.
Well, this is not intended but one of the problems I want to fix.
> In the current, LOCAL_OUT see pre-encrypted packet. I've been assuming
> that LOCAL_OUT see the packets just before sending them from network device.
> This is the reason why I said "I support the way" - which means LOCAL_OUT
> doesn't see pre-encrypted packet.
Same holds here. LOCAL_OUT is for locally generated packets, and should
see both the plain text and the encrypted packet. This is entirely
consistent with other tunnels like IPIP or GRE.
> Meanwhile the hook to see pre-encrypted packet is necessary for NAT
> indeed as you pointed out. Then our suggestion is adding new hook
> with new name, and distinguishing cleary between the usage of new and
> current hook.
We can't do that because introducing new hooks to the tables breaks
userspace compatibility.
Regards
Patrick
next prev parent reply other threads:[~2005-11-08 14:01 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-17 0:22 [NF+IPsec 4/6]: Make IPsec input processing symetrical to output Patrick McHardy
2005-10-17 0:49 ` YOSHIFUJI Hideaki / 吉藤英明
2005-10-17 1:24 ` Patrick McHardy
2005-10-17 1:46 ` Herbert Xu
2005-10-25 23:09 ` Patrick McHardy
2005-10-25 23:10 ` Herbert Xu
2005-10-25 23:14 ` Patrick McHardy
2005-10-26 0:39 ` Herbert Xu
2005-10-27 14:42 ` Patrick McHardy
2005-10-30 23:15 ` Patrick McHardy
2005-10-31 3:19 ` Yasuyuki KOZAKAI
2005-11-01 18:39 ` Stephen Frost
[not found] ` <200510310319.j9V3JHNl019752@toshiba.co.jp>
2005-11-01 18:23 ` Patrick McHardy
2005-10-26 4:39 ` James Morris
2005-10-26 7:37 ` Ingo Oeser
2005-10-26 13:37 ` Stephen Frost
2005-10-27 12:15 ` Herbert Xu
2005-10-27 14:57 ` YOSHIFUJI Hideaki / 吉藤英明
2005-10-27 16:58 ` Patrick McHardy
2005-11-05 6:30 ` Herbert Xu
2005-11-05 7:55 ` Patrick McHardy
2005-11-05 8:39 ` Herbert Xu
2005-11-05 8:58 ` Patrick McHardy
2005-11-05 9:09 ` Herbert Xu
2005-11-05 9:19 ` Patrick McHardy
2005-11-05 9:38 ` Herbert Xu
2005-11-05 9:55 ` Patrick McHardy
2005-11-05 10:01 ` Herbert Xu
2005-11-05 10:05 ` Patrick McHardy
2005-11-05 10:32 ` Yasuyuki KOZAKAI
[not found] ` <200511051032.jA5AWl2l000619@toshiba.co.jp>
2005-11-08 14:01 ` Patrick McHardy [this message]
2005-11-05 8:23 ` YOSHIFUJI Hideaki / 吉藤英明
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4370AFC7.2040701@trash.net \
--to=kaber@trash.net \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@lists.netfilter.org \
--cc=yasuyuki.kozakai@toshiba.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).