ipsec with 2.6.16-rc3-git6

Marco Berizzi pupilla at hotmail.com
Fri Feb 17 11:07:05 CET 2006


Patrick McHardy wrote:

>Marco Berizzi wrote:
> >
> > Patrick McHardy wrote:
> >
> >> I can't see a mistake. Can you please add a logging rule to log
> >> the packets that get dropped without the ACCEPT rule?
> >
> >
> > Sure! Here is:
> >
> > root at Halley:/tmp# iptables -D INPUT -s venezia-gateway -j ACCEPT
> >
> > [started ping from a venezia private host ----> to firenze private host]
> >
> > root at Halley:/tmp# iptables -I INPUT -s venezia-gateway -j LOG
> > --log-level debug --log-ip-options
> >
> > IN=eth0 OUT= MAC=00:90:27:74:66:4c:00:0c:ce:93:65:ce:08:00
> > SRC=venezia-gateway DST=firenze-gateway LEN=112 TOS=0x00 PREC=0x00
> > TTL=53 ID=45921 PROTO=ESP SPI=0x583f3ff9
> > IN=eth0 OUT= MAC=00:90:27:74:66:4c:00:0c:ce:93:65:ce:08:00
> > SRC=venezia-gateway DST=firenze-gateway LEN=80 TOS=0x00 PREC=0x00 TTL=53
> > ID=45921 PROTO=4
>
>Thats odd, these packets should be caught by your ESP rule, so I guess
>they must be dropped by another rule. Please post your full ruleset with
>iptables -vxnL.

Patrick,

Also adding this rule is not sufficient:

iptables -I INPUT -s venezia-gateway --protocol esp -j ACCEPT





More information about the netfilter-devel mailing list