| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 30 May 2015 02:24:51 -0400 From: "John A. Sullivan III" <jsullivan@...nsourcedevel.com> To: netdev@...r.kernel.org Subject: Re: Ingress tc filters with IPSec On Sat, 2015-05-30 at 01:52 -0400, John A. Sullivan III wrote: > Argh! yet another obstacle from my ignorance. We are attempting ingress > traffic shaping using IFB interfaces on traffic coming via GRE / IPSec. > Filters and hash tables are working fine with plain GRE including > stripping the header. We even got the ematch filter working so that the > ESP packets are the only packets not redirected to IFB. > > But, regardless of whether we redirect ESP packets to IFB, the filters > never see the decrypted packets. I thought the packets passed through > the interface twice - first encrypted and they decrypted. However, > tcpdump only shows the ESP packets on the interface. > > How do we apply filters to the packets after decryption? Thanks - John I see what changed. In the past, this seemed to work but we were using tunnel mode. We were trying to use transport mode in this application but that seems to prevent the decrypted packet contents from appearing again on the interface. Reverting to tunnel mode made the contents visible again and our filters are working as expected - John -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists