Tom Eastep wrote:> | Have you applied the ipsec+netfilter patches ? Without them, packets > are > | only seen encrypted in the OUTPUT chain. > | > Yes -- the ipsec+netfilter patches are applied. Here is the same test > with the bridge removed and the local ip address transfered to one of > the network cards:The problem is ipv4_sabotage_out in the briding code. It prevents the packet from hitting the LOCAL_OUT hook while it is still unencrypted. When it hits the bridging code and its LOCAL_OUT hook it's too late. Not sure how to handle it yet. Regards Patrick
On Monday 16 August 2004 03:31, Patrick McHardy wrote:> The problem is ipv4_sabotage_out in the briding code. It prevents the > packet from hitting the LOCAL_OUT hook while it is still unencrypted. > When it hits the bridging code and its LOCAL_OUT hook it's too late. > Not sure how to handle it yet.I'll have a look at that after I'm finished with the IPv6 bridge firewalling stuff. cheers, Bart
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Patrick McHardy wrote: | Tom Eastep wrote: | |> | Have you applied the ipsec+netfilter patches ? Without them, packets |> are |> | only seen encrypted in the OUTPUT chain. |> | |> Yes -- the ipsec+netfilter patches are applied. Here is the same test |> with the bridge removed and the local ip address transfered to one of |> the network cards: | | | The problem is ipv4_sabotage_out in the briding code. It prevents the | packet from hitting the LOCAL_OUT hook while it is still unencrypted. | When it hits the bridging code and its LOCAL_OUT hook it's too late. | Not sure how to handle it yet. | Thanks for the update. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBIBFOO/MAbZfjDLIRAvS4AJ9eGQhcxVi09h8gmLZ/CpauSYlw1wCePgBQ trHWmX/wZV/DyIjSz05IGyQ=mL/B -----END PGP SIGNATURE-----
Possibly Parallel Threads
- [Bridge] [PATCH/RFC] Let {ip, arp}tables "see" bridged VLAN tagged {I, AR}P packets
- [Bridge] IPv6 + ip6tables packet bridging?
- Maquerading through IPSECed wireless dropping packets selectively?
- PJSIP works on UDP but not TCP
- [Bridge] Re: do_IRQ: stack overflow: 872..