I''ve been testing Kernel 2.6.16-rc1 together with the SVN version of iptables and have found one important change from prior releases that used the IPSEC-Nat and policy match patches. The policy match now requires that the mode (tunnel/transport) be specified. This means that: a) You must define ipsec zones as type ipsec and place a mode specification in the OPTIONS column (e.g., "mode=tunnel"). b) You must install either the ''firewall'' file (Shorewall 2.4) or the ''functions'' file (3.0) from the errata sub-directory on the download sites (www1.shorewall.net/ftp1.shorewall.net currently have these -- other mirrors will follow). Without these updates, Shorewall fails to detect the policy match capability. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Joshua Schmidlkofer
2006-Jan-20 16:26 UTC
Re: Heads Up: IPSEC and Kernel 2.6.16/iptables 1.3.4
Tom Eastep wrote:> I''ve been testing Kernel 2.6.16-rc1 together with the SVN version of iptables > and have found one important change from prior releases that used the > IPSEC-Nat and policy match patches.Hahah! Thanks for the research, and this most valuble update! I have one question, do you know the status of IPsec + bridge support? Sincerely, Joshua ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Friday 20 January 2006 08:26, Joshua Schmidlkofer wrote:> Tom Eastep wrote: > > I''ve been testing Kernel 2.6.16-rc1 together with the SVN version of > > iptables and have found one important change from prior releases that > > used the IPSEC-Nat and policy match patches. > > Hahah! Thanks for the research, and this most valuble update! > > I have one question, do you know the status of IPsec + bridge support?No, I don''t. I''ve also posted on the Netfilter devel list asking if the incompatible change was intentional; I researched the patch that introduced the incompatibility and it may be a bug. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Friday 20 January 2006 09:08, Tom Eastep wrote:> On Friday 20 January 2006 08:26, Joshua Schmidlkofer wrote: > > Tom Eastep wrote: > > > I''ve been testing Kernel 2.6.16-rc1 together with the SVN version of > > > iptables and have found one important change from prior releases that > > > used the IPSEC-Nat and policy match patches. > > > > Hahah! Thanks for the research, and this most valuble update! > > > > I have one question, do you know the status of IPsec + bridge support? > > No, I don''t.But I can probably test it in the next week or so (I have a bridge on my firewall). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Friday 20 January 2006 09:08, Tom Eastep wrote:> > I''ve also posted on the Netfilter devel list asking if the incompatible > change was intentional; I researched the patch that introduced the > incompatibility and it may be a bug. >I''ve confirmed that this IS a bug -- should be fixed in current SVN version. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom - You should be watching the Seahawks, not working!! -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Sunday, January 22, 2006 3:35 PM To: shorewall-users@lists.sourceforge.net Cc: Joshua Schmidlkofer Subject: Re: [Shorewall-users] Heads Up: IPSEC and Kernel 2.6.16/iptables 1.3.4 On Friday 20 January 2006 09:08, Tom Eastep wrote:> > I''ve also posted on the Netfilter devel list asking if the > incompatible change was intentional; I researched the patch that > introduced the incompatibility and it may be a bug. >I''ve confirmed that this IS a bug -- should be fixed in current SVN version. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Sunday 22 January 2006 15:52, Jim wrote:> Tom - You should be watching the Seahawks, not working!!I''m watching, never fear :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sunday 22 January 2006 14:57, Tom Eastep wrote:> On Sunday 22 January 2006 15:52, Jim wrote: > > Tom - You should be watching the Seahawks, not working!! > > I''m watching, never fear :-) > > -TomMight as well watch. I couldn''t cut code during this game... -- John Andersen - NORCOM http://www.norcomsoftware.com/ ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Sunday 22 January 2006 18:53, John Andersen wrote:> > Might as well watch. I couldn''t cut code during this game...Nor could I -- after 29 years, the HAWKS ARE GOING TO THE SUPER BOWL! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Indeed! Congratulations from Maple Valley! It''s been way too long coming. -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Sunday, January 22, 2006 7:43 PM To: shorewall-users@lists.sourceforge.net Cc: John Andersen Subject: Re: [Shorewall-users] Heads Up: IPSEC and Kernel 2.6.16/iptables 1.3.4 On Sunday 22 January 2006 18:53, John Andersen wrote:> > Might as well watch. I couldn''t cut code during this game...Nor could I -- after 29 years, the HAWKS ARE GOING TO THE SUPER BOWL! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642