Re: 2.6.16-rc3 panic related to IP Forwarding and/or Netfilter

On Thu, Feb 16, 2006 at 09:33:07PM +0100, Patrick McHardy wrote:
> Jens Taprogge wrote:
> > The two patches fix the panic.  However routing still does not quite
> > work. 
> > 
> > My setup consits of two masquerading gateways with local adresses
> > 192.168.1.128 (2.6.15.1) and 192.168.3.11 (2.6.16-rc3 + patches).  They
> > connect the two local networks through an IPSEC tunnel.  With the exact
> > same setup that previously (192.168.3.11 running 2.6.13) worked I can
> > now only reach from 192.168.1.0/24 to 192.168.3.0/24 and not the other
> > way around:
> > 
> > Pinging from 192.168.1.128 I am getting:
> > 	$ ping 192.168.3.15
> > 	PING 192.168.3.15 (192.168.3.15): 56 data bytes
> > 	64 bytes from 192.168.3.15: icmp_seq=0 ttl=63 time=127.9 ms
> > 
> > On the other hand pinging from 192.168.3.11 I am getting timeouts.
> > 
> > This is even the case if I set the nat POSTROUTING rule to: 
> > 	$ iptables -t mangle -I PREROUTING -p esp -j MARK --set-mark 111
> > 	$ iptables -t nat -F POSTROUTING
> > 	$ iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.3.0/24 \
> > 		-m mark ! --mark 111 -j MASQUERADE
> > 
> > on both sides of the tunnel which should disable masquerading for IPSEC
> > packages.
> > 
> > However the tunnel works as soon as I completly disable masquerading.
> 
> 2.6.16-rc includes patches for proper netfilter IPsec handling. Packets
> will now go through the chains once in plain text and once encrypted,
> so I guess you're masquerading the packets that should go through the
> tunnel to an address that doesn't match the policy anymore and they
> are therefore not handled by IPsec (this is also the case my patches
> fixed). So you need to make sure you don't have any SNAT rules that
> change the unencrypted packets to an address not included in the policy.

Thanks.  That pointed me in the right direction.  After excluding the
plain-text IPSec traffic from masquerading things work again.

Best Regards
Jens Taprogge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• References:
  • 2.6.16-rc3 panic related to IP Forwarding and/or Netfilter
    • From: Jens Taprogge <[email protected]>
  • Re: 2.6.16-rc3 panic related to IP Forwarding and/or Netfilter
    • From: Patrick McHardy <[email protected]>
  • Re: 2.6.16-rc3 panic related to IP Forwarding and/or Netfilter
    • From: Jens Taprogge <[email protected]>
  • Re: 2.6.16-rc3 panic related to IP Forwarding and/or Netfilter
    • From: Patrick McHardy <[email protected]>

• Prev by Date: Re: [patch 0/6] lightweight robust futexes: -V3 - Why in userspace?
• Next by Date: [PATCH v2] Provide an interface for getting the current tick length
• Previous by thread: Re: 2.6.16-rc3 panic related to IP Forwarding and/or Netfilter
• Next by thread: [PATCH] edac: switch to kthread_ API
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]