Re: [Fwbuilder-discussion] [PATCH] IPSec Support
Brought to you by:
mikehorn
From: Vadim K. <va...@vk...> - 2004-12-04 17:55:48
|
Thomas, thank you for the patch. I am not sure "via ipsec" should be implemented as an action. You mark IPSEC packets at the beginning (this _is_ an action) and match marked packets later. It makes more sense to implement matching as a service. Anyway, I am planning on implementing this in a more general way. First of all, I'd rather implement universal action "mark" so it is not limited to only IPSEC. The marking rule will be explicitly added by the user instead of being auto-generated. The matching rule will just use a service object. The service object is trivial, it is just another Custom Service with a code "-m mark --mark 50". The marking rule requires changes in the code to add new action etc., similar to what you've done in your patch. In fact, this can be done with 2.0.4 right now. You can add marking rule in prolog section (in firewall settings dialog), then create your own custom service object with command " -m mark --mark 50 " and use it in a rule where you match marked packets. I am still going to make the change and provide "Mark" as a standard action, but you don't have to wait for that. --vk On Dec 4, 2004, at 8:14 AM, Thomas Ristic wrote: > > Attached you find a very rough patch to demonstrate basic IPSec support > using MARK. CAUTION: I haven't even tested the rules it generates! > > Maybe even Openswan could be modified to mark packets with an unique ID > per SA, so we could have individual rules for different tunnels. > > If anyone thinks this approach could work, please let me know, so I > will > straighten it out. > > > Thomas > -- > <fwbuilder_esp_mark.diff><libfwbuilder_esp_mark.diff><viaipsec.png> |