netdev
[Top] [All Lists]

Re: [netfilter-core] [NETFILTER] Apply IPsec to ipt_REJECT packets

To: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [netfilter-core] [NETFILTER] Apply IPsec to ipt_REJECT packets
From: Patrick McHardy <kaber@xxxxxxxxx>
Date: Tue, 23 Nov 2004 19:17:36 +0100
Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>, coreteam@xxxxxxxxxxxxx, netdev@xxxxxxxxxxx
In-reply-to: <20041123084225.GA3514@gondor.apana.org.au>
References: <20041123084225.GA3514@gondor.apana.org.au>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.3) Gecko/20041008 Debian/1.7.3-5
Herbert Xu wrote:

Hi:

I found out today that packets generated by ipt_REJECT weren't protected
by IPsec.  This is because the proto field isn't set at all in the flow
supplied to ip_route_output_key.

The following patch sets that as well as protocol-specific fields so
that the appropriate IPsec policy can be applied.



The patch doesn't handle tcp resets sent in response to a forwarded packet. I'll send a patch later tonight.

Regards
Patrick

<Prev in Thread] Current Thread [Next in Thread>