Re: reverse processing order: NAT, IPsec ?

To: Greg Troxel <gdt%ir.bbn.com@localhost>
Subject: Re: reverse processing order: NAT, IPsec ?
From: Hubert Feyrer <hubert%feyrer.de@localhost>
Date: Fri, 12 Jun 2009 14:14:20 +0200 (CEST)

On Fri, 12 Jun 2009, Greg Troxel wrote:

Start by reading netinet/ip_output.c.  IPSEC is before PFIL_HOOKS.  I
think right now munging in there is the only way.


My hope was to avoid this...

You could also have a second machine and NAT but not IPsec on that, and
separate NAT and IPsec functionality.  Kludgy perhaps (xen?), but it
might be fewer hours to what you want.

The Netscreen that I've been playing with basically has two machines inone, which allows doing this in a ~sane way. Running something asheavy-weighted as Xen to just do NAT sounds pretty sub-optimal.

I wonder if all this could be done on a single machine, with some bridgeinterfaces in between, or similar...



 - Hubert

Follow-Ups:
- Re: reverse processing order: NAT, IPsec ?
  - From: Ignatios Souvatzis

References:
- reverse processing order: NAT, IPsec ?
  - From: Hubert Feyrer
- Re: reverse processing order: NAT, IPsec ?
  - From: Greg Troxel

Prev by Date: Re: reverse processing order: NAT, IPsec ?
Next by Date: Re: reverse processing order: NAT, IPsec ?
Previous by Thread: Re: reverse processing order: NAT, IPsec ?
Next by Thread: Re: reverse processing order: NAT, IPsec ?
Indexes:

Home | Main Index | Thread Index | Old Index