On 06/05/07 07:29, noa levy wrote:
SNAT takes place in POST_ROUTING. Can IPSec be applied after that? I
have read that after IPSec the packet gets injected to LOCAL_OUT
again, but when does the actual IPSec policy decision take place?
Won't it happen *before* SNAT? Can I control it?
Last I looked (it's been a while) the basic methodology at the time was
that (unencrypted) traffic would pass through the kernel like regular
traffic. Then after everything else was done it would be encrypted and
looped back through the system in its encrypted form. So what you would
do is selectively do what ever you wanted to do to the traffic before it
was encrypted by matching that traffic with filters. In short, do what
ever you want to with the clear text traffic, then do what ever you want
with cypher text traffic.
There use to be a series of patches that needed to be applied to the
kernel to make this packet flow possible. I do not know if these
patches are still required or not, though I would expect it to be main
line by now.
Can / will any one confirm / refute this please?
Grant. . . .
|