Bug 165359
Summary: | netfilter fails to place packets into established state when ipsec in transport mode used | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Aleksandar Milivojevic <alex> |
Component: | kernel | Assignee: | James Morris <jmorris> |
Status: | CLOSED CANTFIX | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4.0 | CC: | davem, jbaron, trevor |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-08-09 19:53:54 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Aleksandar Milivojevic
2005-08-08 15:25:40 UTC
This is a well known deficiency in netfilter support in the kernel these days. It is, as a result, mostly unusable in conjunction with IPSEC. Netfilter hooks don't get called in a symmetric fashion in the presence of IPSEC, so that the packet can be seen at the proper pre-decrypted and post-decrypted states. Major surgery is required to rectify this. A fix is being worked on upstream, but it is exceeding unlikely that an RHEL4 update could ever possibly include the fix when we even have it, because: 1) the necessary fix is incredibly invasive 2) said fix is guarenteed to break the kernel ABI, and thus break 3rd party binary-only kernel modules And as such I'm for now marking this as a "CANTFIX" for RHEL4. Many thanks for detail reply. I have just one final question. Once the solution is found and implemented in the upstream kernel, I guess it will apear relatively quickly in the Fedora Core kernels. Will it be possible to install (future) Fedora Core kernel RPM package on RHEL4 system, or at least rebuild kernel from SRPM? Or the scope of the changes is so big that it would require userland stuff that interacts with the kernel to be updated too (such as iptables, ipsec-tools, udev, and so on)? Or is it still too early to give any predictions? I'm aware that using Fedora Core kernel would break compatibility with binary 3rd party device drivers, and might push system into "unsupported" state. It should be a kernel-only fix, I do not anticipate any userlevel components requiring a change. For others finding this bug for the first time: also see bug #143374 which is essentially the same thing. |