Jason,
EITHER KEEP THIS ON THE LIST OR GO AWAY!!! Is that clear enough?
Jason Wohlford wrote:
>
>
> I know I''m pushing it but, how would one check the kernel? Armed
with
> the right knowledge, I hope to encourage the right stuff to be dropped
> in Debian Sarge before release. Keep in mind that I''m just one
small
> person with high ambitions.
>
I think you would be better off lobbying the Netfilter development team
to get the IPSEC-Netfilter code released into the kernel.org tree. That
way, everyone would benefit, including Debian users.
At any rate, you can see if there is a policy match kernel module for
the running kernel using:
ls /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/*policy*
Here''s a 2.6.10 kernel patched to support policy match:
gateway:~# ls /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/*policy*
/lib/modules/2.6.10-tme1/kernel/net/ipv4/netfilter/ipt_policy.ko
gateway:~#
The test that Shorewall makes is:
iptables -N fooX1234
iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT
If that works, then the kernel and iptables both have policy match
support. If that command doesn''t work, then policy match
doesn''t work
using the running kernel and iptables.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key