Bug#719054: pyroman: Support IPSec protocols (ESP and AH)

Sun, 11 Aug 2013 02:18:54 -0700 

Hello,
Thank your for your patch.
It looks good (and I've already committed it to SVN), however I do get
a warning message when using it:

Warning: never matched protocol: ah. use extension match instead.

As far as I can tell, this happens in ip6tables only, i.e. IPv6.

>From a relevant mailing list post:
> "-p" uses the first non-extension header (which can never
> be AH), while "-m ah" matches on AH extension headers.

So at least for IPv6 it seems as if "-p ah" apparently will not have an effect?
>From what I've figured out so far, AH will never occur alone. It will
always be ah+esp, and then the protocol match will be for esp?

Could you try if "-p esp" actually is sufficient to make IPSec work?

Do you know if default ISAKMP will be UDP and source port 500, too?
Right now, I've committed it as dport="isakmp/udp", but if the source
port will also be 500/udp, I would prefer to make the rule tighter by
default.

Regards,
Erich


On Thu, Aug 8, 2013 at 6:06 AM, Wil Tan <w...@nivlea.net> wrote:
> Package: pyroman
> Version: 0.4.6-4
> Severity: important
> Tags: upstream patch
>
>
> There is currently no easy way to add "esp" and "ah" protocols in a rule 
> because the
> protocols are not recognized by pyroman.
>
> This patch allows the following "add_service" definition:
>
>     add_service("ipsec", dports="esp ah")
>
> and if used in a rule like:
>
>     allow(client="host1", server="vpnhost", service="ipsec")
>
> will generate the rules properly.
>
> I'm reporting the bug against what's installed on this system, but it should
> apply to the latest version in SVN.
>
>
> -- System Information:
> Debian Release: 6.0.1
>   APT prefers oldstable-updates
>   APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
> Architecture: i386 (i686)
>
> Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
>
> Versions of packages pyroman depends on:
> ii  iptables                1.4.8-3          administration tools for packet 
> fi
> ii  python                  2.6.6-3+squeeze7 interactive high-level 
> object-orie
> ii  python-support          1.0.10           automated rebuilding support for 
> P
>
> pyroman recommends no packages.
>
> pyroman suggests no packages.
>
> -- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to