netdev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ip6tables: accept of IPv6 transport esp packages not possible - no r

from [Patrick McHardy] [Permanent Link][Original]
To: Peter Bieringer <pb@xxxxxxxxxxxx>
Subject: Re: ip6tables: accept of IPv6 transport esp packages not possible - no rule matches
From: Patrick McHardy <kaber@xxxxxxxxx>
Date: Sun, 02 Jan 2005 12:42:54 +0100
Cc: USAGI core <usagi-core@xxxxxxxxxxxxxx>, Maillist netdev <netdev@xxxxxxxxxxx>, Harald Welte <laforge@xxxxxxxxxxxx>, Netfilter development mailing list <netfilter-devel@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <85346B5DA83795C08812E782@xxxxxxxxxxxxxxxxxxxxxxx>
References: <019064D0423CE6C823CBF476@xxxxxxxxxxxxxxxxxxxxxx> <5F6ACA5CEF52DBFBF11FBF94@xxxxxxxxxxxxxxxxxxxxxx> <41CD8B4F.6010402@xxxxxxxxx> <85346B5DA83795C08812E782@xxxxxxxxxxxxxxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040413 Debian/1.6-5 
Peter Bieringer wrote:

Does this patch fix the problem ?


Yes, this patch fix the problem on the incoming side:


Thanks.



I ping6 to a remote host via IPsec in transport mode:

IPv6 INPUT chain:

    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0
ipv6-icmp type 128
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0
ipv6-icmp type 129
    1   156 ACCEPT     esp      *      *       remote/128  local/128
    0     0 ACCEPT     all      *      *       remote/128  local/128


So the proper chain matches.


But I wonder a little bit because of the result of the OUTPUT chain:

    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0
ipv6-icmp type 129
    1   104 ACCEPT     icmpv6    *      *       ::/0                 ::/0
ipv6-icmp type 128
    0     0 ACCEPT     esp      *      *       local/128  remote/128
    0     0 ACCEPT     all      *      *       local/128  remote/128


Here, the ICMPv6 rule matches.

This means for me that the traffic goes like this:

OUTPUT: ping6 -> netfilter -> encryption -> ESP
INPUT : ESP -> netfilter -> decryption -> ping6


More specific, with transport mode it goes:

OUTPUT: ping6 -> LOCAL_OUT -> encryption -> POST_ROUTING
INPUT: ESP -> PRE_ROUTING -> LOCAL_IN -> decryption -> ping6

Filtering for IPv6 happens on LOCAL_IN/LOCAL_OUT (and FORWARD).


Is this logical?


Not very. Patches to improve this for IPv4 will be submitted
next week, but IPv6 still needs some work.



BTW: how to filter incoming traffic after decryption?


Use tunnel-mode. The decrypted packets will hit PRE_ROUTING
and LOCAL_IN again.

Regards
Patrick
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  what is mean by linear socket buffers?, linux lover
Next by Date:  Re: unregister_netdev Annoyance WAS(Re: ing_filter debug messages, bert hubert
Previous by Thread:  Re: ip6tables: accept of IPv6 transport esp packages not possible - no rule matches, Peter Bieringer
Next by Thread:  Re: ip6tables: accept of IPv6 transport esp packages not possible - no rule matches, Peter Bieringer
Indexes:  [Date] [Thread] [Top] [All Lists]