lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 30 May 2015 01:52:12 -0400
From:	"John A. Sullivan III" <jsullivan@...nsourcedevel.com>
To:	netdev@...r.kernel.org
Subject: Ingress tc filters with IPSec

Argh! yet another obstacle from my ignorance.  We are attempting ingress
traffic shaping using IFB interfaces on traffic coming via GRE / IPSec.
Filters and hash tables are working fine with plain GRE including
stripping the header.  We even got the ematch filter working so that the
ESP packets are the only packets not redirected to IFB.

But, regardless of whether we redirect ESP packets to IFB, the filters
never see the decrypted packets.  I thought the packets passed through
the interface twice - first encrypted and they decrypted.  However,
tcpdump only shows the ESP packets on the interface.

How do we apply filters to the packets after decryption? Thanks - John

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ