From mboxrd@z Thu Jan 1 00:00:00 1970 From: "pheusion@snet.net" Subject: Re: Argh! I'm kicking myself Date: Fri, 19 Dec 2003 16:39:34 -0500 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1071869974.3634.7.camel@GenMicroSys> References: <015b01c3c670$99b77600$3dc2a70a@melita.com> Reply-To: pheusion@snet.net Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <015b01c3c670$99b77600$3dc2a70a@melita.com> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: Ian Hunter Cc: netfilter@lists.netfilter.org Wait, I think I understand the question now. (Correct me if I am wrong) If you have the match modules enabled, then that would be what allows you to include AH/ESP match support, there was a patch for this, but might be included with distro's On Fri, 2003-12-19 at 15:42, Ian Hunter wrote: > For days now I've been trying to figure out how to recompile my Redhat > 2.4.20-24.9 kernel to allow masquerading IPSec ESP traffic. I ran the > much-vaunted "grep -i masq /proc/ksyms" and to my chagrin got nothing back, > but on a lark decided I'd try "iptables -A FORWARD -t nat -i ppp0 -p esp -j > ACCEPT" just to see if it would fly and it did. Of course. And now you're > all laughing at me. > > Where is this documented, that gre, esp, ah, and the like are acceptable > protocols? The docs mention icmp, tcp, and udp only. > > Is there such a document, or have I discovered a particular cover of the > netfilter doc-hole? > > Ian > >