diff options
| author | rnhmjoj <rnhmjoj@inventati.org> | 2024-05-09 20:53:46 +0200 |
|---|---|---|
| committer | rnhmjoj <rnhmjoj@inventati.org> | 2024-06-05 15:18:35 +0200 |
| commit | 3c12ef3f219c1a0f458d72e7b460782287974bbd (patch) | |
| tree | 66bf1b9635b15260d6d6fc79d40bd1b1ce0a5f62 /pkgs/development/python-modules/python-mapnik | |
| parent | 591aaa3f604e55f786b6014011ab0f6dedd28b6a (diff) | |
nixos/firewall: fix reverse path check failures with IPsec
The endpoint of an IPsec tunnel receives encrypted IPsec packets that
are first decrypted and then forwarded to the intended destination.
The decrypted traffic appears to originate from the same interface it
came in from, so in most cases these packets will fail the reverse path
check even if legitimate.
This change adds an exception to not reject packets that were previously
IPsec-encrypted, meaning the have been accepted, decrypted and are in
the process of being forwarded to their final destinal.
Sources:
- https://www.kernel.org/doc/Documentation/networking/xfrm_device.txt
- https://git.netfilter.org/nftables/commit/?id=49f6e9a846c6c8325b95debe04d5ebc3c01246fb
- https://git.netfilter.org/nftables/commit/?id=8f55ed41d007061bd8aae94fee2bda172c0e8996
- https://thermalcircle.de/doku.php?id=blog:linux:nftables_demystifying_ipsec_expressions
Diffstat (limited to 'pkgs/development/python-modules/python-mapnik')
0 files changed, 0 insertions, 0 deletions