[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Sun May 3 23:21:26 EEST 2015
New commits:
commit 97266ec18c2e78959630f6618c6179726aaba85f
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun May 3 16:21:16 2015 -0400
updated changes
commit e1aed80c87e8678b9e01a8228e0fe89acb07c075
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun May 3 16:11:58 2015 -0400
pluto: NFLOG support for all and per-connection IPsec traffic
- New config setup option nflog-all=XX
- New per-conn option nflog=XX
The config setup nflog-all option uses iptables to run all pre-encrypt
and post-decrypt traffic through the NFLOG target of the specific nflog
group number.
the per-conn nflog= option does the same but only applies to the traffic
covered by the connection. Different connections can use different nflog
group numbers.
traffic can be displayed using a variety of tools, such as wireshark, dumpcap
and tcpdump. For example when setting nflog-all=50, one can issue the following
command to see all traffic before encryption and after decryption:
tcpdump -n -i nflog:50
(note that traffic filters on the command line are not supported at this time in
tcpdump)
The command "ipsec sniff" is a shorthand for running tcpdump on the nflog-all
group number.
A group number of 0 means disabled.
If an external firewall management tool such as firewalld or shorewall is used,
these settings might interfere and/or become undone during operation.
More information about the Swan-commit
mailing list