Re: ip6tables: accept of IPv6 transport esp packages not possible - no rule matches

[Peter Bieringer <pb@xxxxxxxxxxxx>]

Hi,

--On Saturday, December 25, 2004 04:46:23 PM +0100 Patrick McHardy
<kaber@xxxxxxxxx> wrote:

> Peter Bieringer wrote:
>> Looks like there is something going wrong in the protocol matching 
>> algorithm in netfilter6.
> 
> Does this patch fix the problem ?
> 
> Regards
> Patrick

Yes, this patch fix the problem on the incoming side:

I ping6 to a remote host via IPsec in transport mode:

IPv6 INPUT chain:

    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0
ipv6-icmp type 128
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0
ipv6-icmp type 129
    1   156 ACCEPT     esp      *      *       remote/128  local/128
    0     0 ACCEPT     all      *      *       remote/128  local/128


So the proper chain matches.


But I wonder a little bit because of the result of the OUTPUT chain:

    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0
ipv6-icmp type 129
    1   104 ACCEPT     icmpv6    *      *       ::/0                 ::/0
ipv6-icmp type 128
    0     0 ACCEPT     esp      *      *       local/128  remote/128
    0     0 ACCEPT     all      *      *       local/128  remote/128


Here, the ICMPv6 rule matches.

This means for me that the traffic goes like this:

OUTPUT: ping6 -> netfilter -> encryption -> ESP
INPUT : ESP -> netfilter -> decryption -> ping6

Is this logical?

BTW: how to filter incoming traffic after decryption?

        Peter
-- 
Dr. Peter Bieringer                     http://www.bieringer.de/pb/
GPG/PGP Key 0x958F422D               mailto: pb at bieringer dot de 
Deep Space 6 Co-Founder and Core Member  http://www.deepspace6.net/