Am Freitag, 22. April 2005 15:27 schrieb Herbert Xu:
> On Fri, Apr 22, 2005 at 03:22:49PM +0200, Wolfgang Walter wrote:
> > I'm not sure how packets of tunnels ending at a host are treated exactly.
> > Probably the tunnel-packet itself is checked against XFRM_POLICY_IN
> > because its destination is the host itself. Then it gets decrypted if an
> > entry appropriate in the sad in (dst,spi) exists. The inner packet gets
> > extracted and decrypted and is then rerouted.
>
> Actually it only gets checked once, after all IPsec decapsulation has been
> completed. So forwarded packets only ever get checked against the FWD
> direction.
>
So linux implements things like i.e. ipcomp in esp-tunnel in ah-tunnel as
bundle instead of feeding it for every transformation into the packet receive
code again? I assume that incoming packets which are subject to several
ipsec-transformations are exactly seen twice in netfilter PREROUTING: first
before decapsulation and then after complete decapsulation?
Greetings,
--
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts
Leopoldstraße 15
80802 München
|