Dear Herbert and Laurence, Do you mind looking at this patche set and applying it to the Debian kernels? They set a bit in packet headers coming off the new, IPSEC, and there are netfilter IPv4 and IPv6 modules to detect the bit. This closes the iptables packet injection hole that you open when allowing in traffic off the VPN on a firewall. We need the patch here at work as the iptables filters have to be authoritave in controlling traffic through the firewall. If you like the look of them I will go and create bugs against iptables and the kernels and put the patches there. I have also posted these patches to the netfilter-devel list up at lists.netfilter.org. Thanks for looking at this. Cheers, Matthew Grant
Attachment:
iptables-1.2.9-ipsecrx-krnlheaders.patch
Description: Binary data
Attachment:
iptables-1.2.9-ipsecrx.patch
Description: Binary data
Attachment:
linux-2.4.25-ipsecrx.patch
Description: Binary data
Attachment:
linux-2.6.4-ipsecrx.patch
Description: Binary data
Attachment:
signature.asc
Description: This is a digitally signed message part