Re: 2.6 native IPsec implementation question

[Jan Engelhardt]

>1. Why IPsec in 2.6 doesn't uses separate interface ?
>It makes impossible to implement firewall logic like this (or I'm
>missing something):
>
>incoming from eth0 allow AH
>incoming from eth0 allow ESP
>incoming from eth0 allow udp 500
>incoming from eth0 allow udp 53
>incoming from eth0 allow ICMP related
>incoming from eth0 deny all

iptables -A INPUT -N myipsec;
iptables -A INPUT -j myipsec -i eth0 -m ah
iptables -A INPUT -j myipsec -i eth0 -m esp
iptables -A INPUT -j ACCEPT -i eth0 -p udp --dport 53
iptables -A INPUT -j ACCEPT -i eth0 -p udp --dport 500
iptables -A INPUT -j ACCEPT -i eth0 -p icmp -m state --state RELATED
iptables -A INPUT -j REJECT -i eth0

>then set of filters restricting traffic incoming via IPsec for examle:
>incoming from ipsec0 allow tcp 389
>incoming from ipsec0 allow ICMP related
>incoming from ipsec0 deny all

iptables -A myipsec -j ACCEPT -p tcp --dport 389
iptables -A myipsec -j ACCEPT -p icmp -m state --state RELATED
iptables -A myipsec -j REJECT

Maybe that solves it? (Not sure whether the myipsec chain works as thought.)

>2. Why IPsec in 2.6 doesn't creates entries in the route tables ?

Because it doesnot create a device ipsecN?




Jan Engelhardt
-- 
Gesellschaft fÃr Wissenschaftliche Datenverarbeitung
Am Fassberg, 37077 GÃttingen, www.gwdg.de
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/