How are handled NAT-T packets (udp/4500) with these patches?
Patrick McHardy wrote:
On Fri, 11 Nov 2005, Gerd v. Egidy wrote:
Hi,
This is the latest set patches for netfilter IPsec support.
The use of netif_rx for the innermost SA if it used transport
mode has been replaced by explicit NF_HOOK calls in
xfrm{4,6}_input.c.
Could you please describe the solution you implemented a bit more? There
was
just so many back and forth that I'm confused now.
OK, some explanation. In tunnel mode, packets go through the stack
again after decapsulation and hit the PRE_ROUTING and LOCAL_IN or FORWARD
hook, depending on if it is a local packet or is forwarded. For symetry,
there are now some additional hooks on the output path which pass the
packet through LOCAL_OUT and POST_ROUTING after tunnel mode transforms.
This part behaves just as any other tunnel. Transport mode is special,
we usually don't want to see packets before or after transport mode
transforms except if it was the plain text packet (the transport
mode SA is the innermost SA of the bundle). On the output path this
already works because packets always hit netfilter before reaching
the transforms, on the input path packets are manually passed through
PRE_ROUTING and INPUT in this case. For NAT we do two things:
when a packet is NATed after already beeing routed (including
the xfrm lookup), it is routed again. If an incoming packet is NATed
before the policy check, the policy check reconstructs how the packet
looked before NAT.
If I use it with iptables, do the transport mode packets go through INPUT
and
OUTPUT twice, decrypted and encrypted?
Yes, if the transport mode transform in the innermost transform
of the bundle (or the only one).
If I use it with iptables, do the tunnel mode packets go through FORWARD
or
INPUT and OUTPUT twice, decrypted and encrypted?
Yes.
Can I do NAT in tunnel and transport mode?
Yes, even NATing forwarded packets and protecting them using a transport
mode SA works.
what about the policy match patches, why are they only posted "for
completeness" and as 11/12 of 10? Aren't they ready yet?
They should be fine.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
