netdev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ip6tables: accept of IPv6 transport esp packages not possible - no r

from [Peter Bieringer] [Permanent Link][Original]
To: Patrick McHardy <kaber@xxxxxxxxx>
Subject: Re: ip6tables: accept of IPv6 transport esp packages not possible - no rule matches
From: Peter Bieringer <pb@xxxxxxxxxxxx>
Date: Sun, 02 Jan 2005 10:01:20 +0100
Cc: USAGI core <usagi-core@xxxxxxxxxxxxxx>, Maillist netdev <netdev@xxxxxxxxxxx>, Harald Welte <laforge@xxxxxxxxxxxx>, Netfilter development mailing list <netfilter-devel@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <41CD8B4F.6010402@trash.net>
References: <019064D0423CE6C823CBF476@t1mobil.muc.aerasec.de> <5F6ACA5CEF52DBFBF11FBF94@t1mobil.muc.aerasec.de> <41CD8B4F.6010402@trash.net>
Sender: netdev-bounce@xxxxxxxxxxx 
Hi,

--On Saturday, December 25, 2004 04:46:23 PM +0100 Patrick McHardy
<kaber@xxxxxxxxx> wrote:

> Peter Bieringer wrote:
>> Looks like there is something going wrong in the protocol matching 
>> algorithm in netfilter6.
> 
> Does this patch fix the problem ?
> 
> Regards
> Patrick

Yes, this patch fix the problem on the incoming side:

I ping6 to a remote host via IPsec in transport mode:

IPv6 INPUT chain:

    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0
ipv6-icmp type 128
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0
ipv6-icmp type 129
    1   156 ACCEPT     esp      *      *       remote/128  local/128
    0     0 ACCEPT     all      *      *       remote/128  local/128


So the proper chain matches.


But I wonder a little bit because of the result of the OUTPUT chain:

    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0
ipv6-icmp type 129
    1   104 ACCEPT     icmpv6    *      *       ::/0                 ::/0
ipv6-icmp type 128
    0     0 ACCEPT     esp      *      *       local/128  remote/128
    0     0 ACCEPT     all      *      *       local/128  remote/128


Here, the ICMPv6 rule matches.

This means for me that the traffic goes like this:

OUTPUT: ping6 -> netfilter -> encryption -> ESP
INPUT : ESP -> netfilter -> decryption -> ping6

Is this logical?

BTW: how to filter incoming traffic after decryption?

        Peter
-- 
Dr. Peter Bieringer                     http://www.bieringer.de/pb/
GPG/PGP Key 0x958F422D               mailto: pb at bieringer dot de 
Deep Space 6 Co-Founder and Core Member  http://www.deepspace6.net/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: ipsec null encryption slower than AES / was Re: 2.6 IPSec Throughput puzzle, Shekhar Kshirsagar
Next by Date:  Re: netfilter6: ICMPv6 type 143 doesn't match (130 also not), Peter Bieringer
Previous by Thread:  2.6.10-bk4 ip_conntrack oops fix, Matthew J Galgoci
Next by Thread:  Re: ip6tables: accept of IPv6 transport esp packages not possible - no rule matches, Patrick McHardy
Indexes:  [Date] [Thread] [Top] [All Lists]