| Commit message (Collapse) | Author | Age | Files |
|---|
| | |
|
| |
|
|
|
| |
To be clearer, and to follow the recommendation of the FSF, we include
a full header rather than a single sentence.
|
| | |
|
| |
|
|
| |
We use ESP only, so other protocols shouldn't be ACCEPTed.
|
| |
|
|
|
|
|
|
|
| |
Packets originating from our (non-routable) $ipsec are marked; there is
no xfrm lookup (i.e., no matching IPSec association), the packet will
retain its mark and be null routed later on, thanks to
ip rule add fwmark "$secmark" table 666 priority 666
ip route add blackhole default table 666
|
|
|
At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd
from our dedicated IP after ESP decapsulation. Also, some IP tables
ensure that alien (not coming from / going to the tunnel end-point) is
dropped.
|
