tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: reverse processing order: NAT, IPsec ?

At Thu, 25 Jun 2009 17:17:29 +0200 (CEST), Hubert Feyrer 
<> wrote:
Subject: Re: reverse processing order: NAT, IPsec ?
> Reverting to the original code with just the patch below makes things work 
> for me. Apparrently the current code only runs the PFIL_HOOKS once for 
> incoming IPsec packets, but not a second time after de-encapsulation.
> This is what I'm seeing in tcpdump here. Disabling the test if the packet 
> was already processed gets NAT done properly (and yes, I have FAST_IPSEC 
> enabled instead of IPSEC).
> Does anyone have an idea on the implications here? Why is a second run of 
> PFIL_HOOKS disabled (only!) for IPsec?

I suspect, with thinking too much about it so I may have this completely
wrong, that calling PFIL hooks for the de-encapsulated packet will
indeed cause problems with filter rules in non-tunnel-mode
(connectionless) IPsec implementations, at least if those filter rules
are not designed to take into account the presence and removal of the
authentication header on an otherwise identical IP header.

                                                Greg A. Woods
                                                Planix, Inc.

<>       +1 416 218-0099

Attachment: pgpQ8QRhNNsy4.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index