Re: ip6tables: accept of IPv6 transport esp packages not possible

netdev

Re: ip6tables: accept of IPv6 transport esp packages not possible - no r

To:	Peter Bieringer <pb@xxxxxxxxxxxx>
Subject:	Re: ip6tables: accept of IPv6 transport esp packages not possible - no rule matches
From:	Patrick McHardy <kaber@xxxxxxxxx>
Date:	Sun, 02 Jan 2005 22:14:56 +0100
Cc:	USAGI core <usagi-core@xxxxxxxxxxxxxx>, Maillist netdev <netdev@xxxxxxxxxxx>, Harald Welte <laforge@xxxxxxxxxxxx>, Netfilter development mailing list <netfilter-devel@xxxxxxxxxxxxxxxxxxx>
In-reply-to:	<E7944B8AE7C7468F39D3C2F8@xxxxxxxxxxxxxxxxxxxxxxx>
References:	<019064D0423CE6C823CBF476@xxxxxxxxxxxxxxxxxxxxxx> <5F6ACA5CEF52DBFBF11FBF94@xxxxxxxxxxxxxxxxxxxxxx> <41CD8B4F.6010402@xxxxxxxxx> <85346B5DA83795C08812E782@xxxxxxxxxxxxxxxxxxxxxxx> <41D7DE3E.2090304@xxxxxxxxx> <E7944B8AE7C7468F39D3C2F8@xxxxxxxxxxxxxxxxxxxxxxx>
Sender:	netdev-bounce@xxxxxxxxxxx
User-agent:	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.3) Gecko/20041008 Debian/1.7.3-5

Peter Bieringer wrote:

BTW: how to filter incoming traffic after decryption?

Use tunnel-mode. The decrypted packets will hit PRE_ROUTING
and LOCAL_IN again.


Ok, confirmed working in tunnel mode, ping6 packet was counted twice in
different rules (esp and icmpv6)

But for outgoing ping6 packets, this won't work, packet is only counted
(and accepted) by the icmpv6 rule, esp rule got no match, also not the
"all" rule.

Looks like at the moment, outgoing packet is passing netfilter only one
time, even if encryption is in tunnel mode.

That is correct.


By design / bug / missing feature?

By design and missing feature :) As I said, patches to fix this for
IPv4 will be submitted this week .. IPv6 will hopefully follow soon.

Regards
Patrick

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: ip6tables: accept of IPv6 transport esp packages not possible - no rule matches, Peter Bieringer Re: ip6tables: accept of IPv6 transport esp packages not possible - no rule matches, Patrick McHardy Re: ip6tables: accept of IPv6 transport esp packages not possible - no rule matches, Peter Bieringer Re: ip6tables: accept of IPv6 transport esp packages not possible - no rule matches, Patrick McHardy <=

Previous by Date:	Re: Acer Aspire 1524WLMi and RealTek 8169 - very slow, Richard Dawe
Next by Date:	Re: LLTX and netif_stop_queue, Eric Lemoine
Previous by Thread:	Re: ip6tables: accept of IPv6 transport esp packages not possible - no rule matches, Peter Bieringer
Next by Thread:	Re: netfilter6: ICMPv6 type 143 doesn't match (130 also not), Peter Bieringer
Indexes:	[Date] [Thread] [Top] [All Lists]