IPSec:
Let incoming packets after decapsulation in transport mode traverse
the same path as with tunnels.
Deliver outgoing packets before encapsulation to all attached
PF_PACKET sockets for example, pcap based programs) without sending
them to a physical interface.
Signed-off-by: Ilia Sotnikov <ilia.sotnikov@xxxxxxxxx>
Description:
xfrm{4,6}_input() calls will return 0 even when decapsulating
packet in the transport mode as opposed to the original concept
when they return -nh->protocol. Then packets get reinjected via
neitf_rx() call. Although it's overhead, it allows a packet to
be seen in more Netfilter hooks. Below is table which shows
the difference in Netfilter hooks traversal.
mangle table:
Mode NF Hook Vanilla Patched
transport PREROUTING no yes
tunnel PREROUTING yes yes
transport INPUT no yes
tunnel INPUT yes yes
transport OUTPUT yes yes
tunnel OUTPUT yes yes
transport POSTROUTING no no
tunnel POSTROUTING no no
Additionally, pcap based programs will be able to see all
cleartext packets (incoming and outgoing). In vanilla kernel, you
will see only incoming cleartext packets after decapsulation
and only in the tunnel mode.
PS: Please, CC me as I'm not on the list
PPS: Please forgive me the attachement but my email client will kill
all the indentation.
linux-2.6.9-ipsec_traverse_path.diff
Description: Binary data
|