[CentOS] making a route sticky

Aleksandar Milivojevic alex at milivojevic.org
Tue Aug 9 16:47:07 UTC 2005 

Quoting Les Mikesell <lesmikesell at gmail.com>:

> Does 'established' make any sense for anything but tcp?

Yes, it does.

For UDP packets, it means firewall already saw a matching packet (in either
direction).  There's one thing to watch out, there's timeout for how long
kernel keeps UDP connection tracking tables, so if "connection" (I know it's
not a connection, but for a lack of better word) is idle for a bit 
longer time,
the next packet will go to "new" state.  However, for some protocols it 
is still
usefull (for example DNS queries).

ICMP mostly goes to "related" state.  The ICMP ping reply goes to established.

Anyhow, back to the original problem.

There's a bug in kernel (Netfilter).  Well, there's several related to 
the same
issue.  If IPSec is in transport mode, the packets will go through Netfilter
tables only once (as encrypted ESP packet).  That's why ICMP ping reply was in
new state.  Netfilter never saw ICMP ping request (it only saw encrypted ESP
packet).

The workaround is to configure IPSec in tunnel mode, but instead of 
using local
network addresses for the policy, use external IP address of VPN 
gateway.  This
effectively gives same functionality as transport mode.

According to Netfilter developers, the bug is really hard to solve, and they
were working on it for a very long time.  Even in tunnel mode incomming 
packets
are going through Netfilter tables only once, but this time same chains are
propageted with encrypted packet, and some chains with decrypted 
packet.  So it
is kind of usable, unless you want to do some fancy NATing.  There were some
proposed patches, but they were not good enough to be included into mainstream
kernel, and were finally abandoned.

Thanks for the hint to check out GRE.  It works great (now that I'm aware of
Netfilter's bug, and the ways to work around it).  Now I have 
interfaces that I
can route to, and even writing Netfilter firewall rules is much simpler 
than by
using IPSec's tunneling.  And I don't have to worry if my ADSL link goes down
and up.

Hopefully it can also work between Linux and Cisco routers (can't test it out,
none of my Cisco routers came with IPSec functionality enabled).

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

More information about the CentOS mailing list