ipsec patches test: minor compilation and policy match issues
Wed, 14 Jul 2004 05:37:51 +0200 (CEST)
On Wed, 14 Jul 2004, Patrick McHardy wrote:
> Maybe we should add new policy checks to protect conntrack from these
> packets. If they are invalid it shouldn't change state.
This general problem of conntrack when applying policies on packets
flows.. Spoofed packets arriving from an untrusted source will disrupt
conntrack states unless filtering is applied before conntrack.
In normal traffic this can be solved by using the raw table to enforce the
anti-spoof policy by dropping illegal traffic flows before seen by
conntrack. I suppose something similar could be done with ipsec traffic?
It would obviously be very nice for conntrack if the ipsec policy checks
could be applied in prerouting before conntrack, but I am not sure how
feasible this is.. It is not exacly a natural point for ipsec to apply
policy checks in prerouting..