NAT behind IPSEC GW working OK - please review patch
bborger at navcorp.com
Fri Mar 11 18:38:14 CET 2005
I have a subnet behind an IPSEC GW which is
NATed to the IPSEC GW address. The IPSEC tunnel
is between the GW host address and the subnet
behind the remote IPSEC GW. It is required that
the NATed packets from the local subnet and the
packets originating on the GW must both pass
through the tunnel to the remote subnet.
Before applying the Patrick McHardy ipsec0x
and policy patches, there where problems
getting the NATed packets out over the tunnel.
After the patches where applied, the packets
got out the tunnel and returned via the tunnel
as expected, but were dropped during forwarding.
It appeared that the packet was still considered
to be an part of the encrypted stream and there
was no policy to forward it to the local subnet.
I changed the "xfrm_policy_check" function in
"./include/net/xfrm.h" to allow forwarding if
the "decap_done" flag is set.
Does anyone see any detrimental effects for this change?
Could I have achieved the same result with a
I started with a virgin 2.6.10 kernel then applied the
Patrick McHardy patches ported for the 2.6.10 kernel from:
Then I made this change to "xfrm.h":
static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff
*skb, unsigned short family)
if (sk && sk->sk_policy[XFRM_POLICY_IN])
return __xfrm_policy_check(sk, dir, skb, family);
return(!xfrm_policy_list[dir] && !skb->sp) ||
(skb->sp && skb->sp->decap_done) || /* Added this line */
(skb->dst->flags & DST_NOPOLICY) ||
__xfrm_policy_check(sk, dir, skb, family);
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.7.1 - Release Date: 3/9/05
More information about the netfilter-devel