From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sergei Zhirikov Subject: Re: question about esp and policy matching rule Date: Wed, 21 Jul 2010 15:46:14 +0200 Message-ID: References: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@vger.kernel.org On 2010-07-20 18:56, ratheesh k wrote: > > After decapsulation , will the ip packet will traverse prerouting chain again ? > Do you mean the prerouting chain of "nat" table (as opposed to "mangle" or "raw" table)? I don't know for sure, but I would think that yes. You could perform a simple experiment to know for sure. When using tunnel mode the destination of an incoming encapsulated packet can be another host (usually in the local network), while the destination of the ESP packet is the machine where the IPSec tunnel ends, so those two are to be routed differently. I'm just thinking aloud based more on my general undertanding of IPSec rather than on the knowledge of the implementation. And don't forget that only the first packed in a connection is visible in the prerouting chain of "nat" table. -- Sergei.