[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[PATCH] - ipsecrx match - was Re: Writing iptables IPSEC reception support.

Dear Herbert and Laurence,

Do you mind looking at this patche set and applying it to the 
Debian kernels? They set a bit in packet headers coming off the new,
IPSEC, and there are netfilter IPv4 and IPv6 modules to detect the bit.

This closes the iptables packet injection hole that you open when 
allowing in traffic off the VPN on a firewall.  We need the patch here
at work as the iptables filters have to be authoritave in controlling
traffic through the firewall.

If you like the look of them I will go and create bugs against iptables
and the kernels and put the patches there.

I have also posted these patches to the netfilter-devel list up at 

Thanks for looking at this.


Matthew Grant

Attachment: iptables-1.2.9-ipsecrx-krnlheaders.patch
Description: Binary data

Attachment: iptables-1.2.9-ipsecrx.patch
Description: Binary data

Attachment: linux-2.4.25-ipsecrx.patch
Description: Binary data

Attachment: linux-2.6.4-ipsecrx.patch
Description: Binary data

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: