Re: port-based filtering of ESP packets with in-kernel IPsec?

To:	netfilter-devel@xxxxxxxxxxxxxxxxxxx
Subject:	Re: port-based filtering of ESP packets with in-kernel IPsec?
From:	Harald Welte <laforge@xxxxxxxxxxxxx>
Date:	Wed, 30 Jul 2003 16:24:11 +0200
Cc:	netfilter@xxxxxxxxxxxxxxxxxxx, netdev@xxxxxxxxxxx
In-reply-to:	<1059540296.16545.305.camel@xxxxxxxxxxx>
Mail-followup-to:	Harald Welte <laforge@xxxxxxxxxxxxx>, netfilter-devel@xxxxxxxxxxxxxxxxxxx, netfilter@xxxxxxxxxxxxxxxxxxx, netdev@xxxxxxxxxxx
References:	<1059540296.16545.305.camel@xxxxxxxxxxx>
Sender:	netdev-bounce@xxxxxxxxxxx
User-agent:	Mutt/1.5.4i

On Tue, Jul 29, 2003 at 11:44:57PM -0500, Rick Kennell wrote:
> I asked about this last week in the general netfilter list, but it
> appears that most folks are still using FreeS/WAN for IPsec.

yes, most people will use a stable kernel rather than a development one
;)

> I'm using the in-kernel IPsec and want to be able to filter ESP packets
> based on protocol or port number.  These values are encapsulated in the
> ESP payload and are unavailable to netfilter.  If I were using
> FreeS/WAN, I could use standard netfilter techniques on the ipsec0
> device.  With the in-kernel IPsec, there's no extra pseudo-device with
> which to examine unencapsulated ESP packets.

true.

> It looks too me like netfilter sees the packet as ESP in all chains in
> all tables.  (I'd be delighted to be corrected.)

I haven't investigated the new in-kernel ESP implementation that far,
but your observation sounds reasonable (although I don't say this is the
desired behaviour).

> Since ESP packets that reach the mangle INPUT chain are destined for a
> local process, why not unencapsulate them just before that point?  

Because NF_IP_LOCAL_IN (like all other hooks) are in the layer 3 stack,
and decapsulating ESP is inside a layer 4 protocol - thus it happens
after the ip stack has handed it over to the esp4 protocol engine.

> It might still be nice to have an indication that this was once an ESP
> packet for filtering, but that could be done by setting a mark in the
> mangle PREROUTING chain.

no. My preferred solution was something like adding a netfilter hook to
the xfrm4 engine, exactly after decapsulation / decryption of one layer,
i.e.  after xfrm_type.input was called. 

iptables could then register the INPUT chain (or probably even a
seperate POSTXFRM chain) in order to filter on the respective packets.

> I realize that this would probably require some heavy lifting in the
> network layer to accomplish this nesting of functionality.

yes, this is why this should be discussed on the netdev list (Cc'ed).

I think this needs to be sorted out before 2.6.0-final will be released.

Any comments are appreciated.

> Am I missing something obvious?

-- 
- Harald Welte <laforge@xxxxxxxxxxxxx>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

pgpRxi3NugEvH.pgp
Description: PGP signature

<Prev in Thread]	Current Thread	[Next in Thread>
Re: port-based filtering of ESP packets with in-kernel IPsec?, Harald Welte <= Re: port-based filtering of ESP packets with in-kernel IPsec?, Andreas Jellinghaus Re: port-based filtering of ESP packets with in-kernel IPsec?, Harald Welte Re: port-based filtering of ESP packets with in-kernel IPsec?, Dax Kelson Re: port-based filtering of ESP packets with in-kernel IPsec?, Dax Kelson

Previous by Date:	[PATCH] 2.4.22-pre9-bk : bonding bug fixes, Willy Tarreau
Next by Date:	Re: [PATCH][ATM][2.4] export try_atm_clip_ops not atm_clip_ops_mutex, chas williams
Previous by Thread:	[PATCH] 2.4.22-pre9-bk : bonding bug fixes, Willy Tarreau
Next by Thread:	Re: port-based filtering of ESP packets with in-kernel IPsec?, Andreas Jellinghaus
Indexes:	[Date] [Thread] [Top] [All Lists]