From: "Slagter, EM" <eslagter@wlz.nl>
To: Patrick McHardy <kaber@trash.net>
Cc: netfilter-devel@vger.kernel.org, netfilter@vger.kernel.org
Subject: Re: Possible bug ipsec and SNAT?
Date: Thu, 20 Dec 2007 11:51:56 +0100 [thread overview]
Message-ID: <476A494C.1050606@wlz.nl> (raw)
In-Reply-To: <47692E3D.7090008@trash.net>
Patrick McHardy wrote:
>> As soon as I add SNAT to traffic originating from this vlan (as required
>> by our supplier), the rules that (properly) used to match on "-m policy
>> --pol ipsec --dir out --tunnel-src ... --tunnel-dst ..." no longer
>> match. Even if I remove the tunnel-src and --tunnel-dst the rule no
>> longer matches. If I change "the --pol ipsec" to "--pol none" the rule
>> matches again. This is wrong IMHO as the traffic is still encapsulated
>> (checked this with tshark) as expected.
> This is expected behaviour. Before NAT takes place, the packet
> doesn't match a policy, it only does after getting mangled by
> NAT, but at that point it already passed through your policy
> matches.
I think we're not talking about the same thing :-/
I have a rule in the filter table like this:
iptables -t filter -A FORWARD -i ... -o ... -s ... -d ... -m policy
--mode tunnel --pol ipsec --dir out --tunnnel-src ... --tunnel-dst ...
-j ACCEPT
This rule works as expected, it matches certain ipsec traffic as intended.
As soon as I add a rule like this to the nat table:
iptables -t nat -A POSTROUTING -s ... -d ... -j SNAT --to-source ...
then the OTHER rule (above, the one in the filter table) doesn't match
anymore. This has nothing to do with the source address having changed
because even in this "bare" form:
iptables -t filter -A FORWARD -i ... -o ... -m policy --pol ipsec --dir out
it doesn't match.
This one does match (changed --pol ipsec into --pol none):
iptables -t filter -A FORWARD -i ... -o ... -m policy --pol none --dir out
Yet the traffic IS being encapsulated like before I applied the SNAT rule.
That doesn't seem right to me.
Maybe it's just that I take the wrong approach to the problem; our
supplier requires an ipsec "tunnel" where our internal ip addresses are
translated to a public ip address, I am talking about the encapsulated
packets here, not the ESP packets. With my approach and the current
behaviour, I cannot apply policies properly for this traffic. I am not
at all happy with the situation, but I cannot change it :-(
Thx.
next prev parent reply other threads:[~2007-12-20 10:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-12-19 11:42 Possible bug ipsec and SNAT? Slagter, EM
2007-12-19 14:44 ` Patrick McHardy
2007-12-20 10:51 ` Slagter, EM [this message]
2007-12-22 7:37 ` Patrick McHardy
2007-12-22 10:49 ` Slagter, EM
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=476A494C.1050606@wlz.nl \
--to=eslagter@wlz.nl \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).