Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. iptables>
  3. Devel
xt_policy: output policy not valid in PRE_ROUTING and INPUT
ole at ans
Aug 6, 2007, 4:22 AM
Post #1 of 4 (2353 views)
Permalink
Hello,

Is there any reason why it is not possible to use "-m policy --dir out" in
PREROUTING? I tried to do something like:

-A PREROUTING -m policy --dir out --pol ipsec -j RETURN
-A PREROUTING -p tcp -i $IF_LANBR --dport 80 -j REDIRECT --to-ports 8088

Best regards,


Krzysztof Olêdzki
Re: xt_policy: output policy not valid in PRE_ROUTING and INPUT [ In reply to ]
kaber at trash
Aug 6, 2007, 5:30 AM
Post #2 of 4 (2255 views)
Permalink
Krzysztof Oledzki wrote:
> Hello,
>
> Is there any reason why it is not possible to use "-m policy --dir out"
> in PREROUTING? I tried to do something like:
>
> -A PREROUTING -m policy --dir out --pol ipsec -j RETURN
> -A PREROUTING -p tcp -i $IF_LANBR --dport 80 -j REDIRECT --to-ports 8088


The IPsec policy is selected after routing, which is why can't
be used in PREROUTING.
Re: xt_policy: output policy not valid in PRE_ROUTING and INPUT [ In reply to ]
ole at ans
Aug 6, 2007, 5:41 AM
Post #3 of 4 (2268 views)
Permalink
On Mon, 6 Aug 2007, Patrick McHardy wrote:

> Krzysztof Oledzki wrote:
>> Hello,
>>
>> Is there any reason why it is not possible to use "-m policy --dir out"
>> in PREROUTING? I tried to do something like:
>>
>> -A PREROUTING -m policy --dir out --pol ipsec -j RETURN
>> -A PREROUTING -p tcp -i $IF_LANBR --dport 80 -j REDIRECT --to-ports 8088
>
>
> The IPsec policy is selected after routing, which is why can't
> be used in PREROUTING.

Is there any other solution than duplicating ipsec policies with "-A
PREROUTING -s (...) -d (...) -p (...) -j RETURN"? I would like to REDIRECT
only packets that are not going thru ipsec tunnels.

Best regards,

Krzysztof Olêdzki
Re: xt_policy: output policy not valid in PRE_ROUTING and INPUT [ In reply to ]
kaber at trash
Aug 6, 2007, 5:44 AM
Post #4 of 4 (2262 views)
Permalink
Krzysztof Oledzki wrote:
> On Mon, 6 Aug 2007, Patrick McHardy wrote:
>
>> The IPsec policy is selected after routing, which is why can't
>> be used in PREROUTING.
>
>
> Is there any other solution than duplicating ipsec policies with "-A
> PREROUTING -s (...) -d (...) -p (...) -j RETURN"? I would like to
> REDIRECT only packets that are not going thru ipsec tunnels.


I can't think of one.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal