Subject: Re: [OT] Connection tracking for IPSec
From: Felipe Alfaro Solana <felipe_alfaro@linuxmail.org>
To: Christophe Saout <christophe@saout.de>
Cc: LKML <linux-kernel@vger.kernel.org>
In-Reply-To: <1061391227.5558.2.camel@chtephan.cs.pocnet.net>
References: <1061378568.668.9.camel@teapot.felipe-alfaro.com>
	 <1061381498.4210.16.camel@chtephan.cs.pocnet.net>
	 <1061389376.3804.16.camel@teapot.felipe-alfaro.com>
	 <1061391227.5558.2.camel@chtephan.cs.pocnet.net>
Content-Type: text/plain
Message-Id: <1061392721.3804.18.camel@teapot.felipe-alfaro.com>
Mime-Version: 1.0
Date: Wed, 20 Aug 2003 17:18:41 +0200
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1140
Lines: 23

On Wed, 2003-08-20 at 16:53, Christophe Saout wrote:
> > No... What I'm saying is that normal IP traffic is processed by the
> > firewall. However, if the incoming traffic is protected with IPSec,
> > since I opened up protocols 50 and 51, the IPSec traffic is admitted
> > without passing any remaining firewall filters. The machine in question
> > is an end host (not a router).
> 
> Yes, you're right. I just checked. Only the encrypted traffic passes the
> netfilter rules, never the unencrypted data. So if you open the
> protocols 50 and 51, the encrypted data can pass, gets
> encrypted/decrypted and that data can always pass unchecked.
> 
> These packets should get reinjected into the netfilter mechanism after
> decryption and should pass the rules before getting encrypted.

Exactly! Now, I dont know how to reinject the IPSec-decrypted packets
back to the netfilter engine. Anyone?

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/