At Thu, 25 Jun 2009 17:17:29 +0200 (CEST), Hubert Feyrer <hubert%feyrer.de@localhost> wrote: Subject: Re: reverse processing order: NAT, IPsec ? > > Reverting to the original code with just the patch below makes things work > for me. Apparrently the current code only runs the PFIL_HOOKS once for > incoming IPsec packets, but not a second time after de-encapsulation. > This is what I'm seeing in tcpdump here. Disabling the test if the packet > was already processed gets NAT done properly (and yes, I have FAST_IPSEC > enabled instead of IPSEC). > > Does anyone have an idea on the implications here? Why is a second run of > PFIL_HOOKS disabled (only!) for IPsec? I suspect, with thinking too much about it so I may have this completely wrong, that calling PFIL hooks for the de-encapsulated packet will indeed cause problems with filter rules in non-tunnel-mode (connectionless) IPsec implementations, at least if those filter rules are not designed to take into account the presence and removal of the authentication header on an otherwise identical IP header. -- Greg A. Woods Planix, Inc. <woods%planix.com@localhost> +1 416 218-0099 http://www.planix.com/
Attachment:
pgpQ8QRhNNsy4.pgp
Description: PGP signature