ipsec patches test: minor compilation and policy match issues
Tue, 13 Jul 2004 07:53:06 -0400
Content-Type: text/plain; charset=us-ascii
* Patrick McHardy (email@example.com) wrote:
> Stephen Frost wrote:
> >I'm doing basically the same thing. 20040710 or so of POM and iptables
> >and 2.6.7. Got everything built/compiled/installed/etc. IPSEC is all
> >working and whatnot. My problem is matching things. I've been trying
> >to match using spi and I just can't seem to get it to work. I'm using
> >the spi I get from setkey -D and from tcpdump but no matter what I try
> >it doesn't work.
> >Sorry I can't give more details, but is this supposted to work? I'll
> >see about adding something to ipt_policy.c to get it to print out what
> >it thinks the SPI is tommorow, hopefully. Anyone else tried this?
> >The match works if I don't have --spi 0x<blah>, doesn't work if I do. :/
> The --spi option matches the spi given in the setkey policy with
> unique:number. I'll update the manpage ..
Ahhh, now that makes much more sense. I just had 'require' before. I'm
getting closer it seems. Now, at least, I seem to be able to match the
number I put after the 'unique:' using '--reqid'. Still doesn't work
when using '--spi' though. Not sure that I care though, unless someone
can tell me a reason why I should? It's important, of course, to match
the right packets, since I'm doing tunneling and different remote sites
will have access to different things and so different firewall rules to
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----