552075b562
* Thu Feb 09 2023 Phil Sutter <psutter@redhat.com> [1.0.4-8.el9] - monitor: Sanitize startup race condition (Phil Sutter) [2130721] - evaluate: set eval ctx for add/update statements with integer constants (Phil Sutter) [2094894] - src: allow anon set concatenation with ether and vlan (Phil Sutter) [2094887] - evaluate: search stacked header list for matching payload dep (Phil Sutter) [2094887] - netlink_delinearize: also postprocess OP_AND in set element context (Phil Sutter) [2094887] - tests: add a test case for ether and vlan listing (Phil Sutter) [2094887] - debug: dump the l2 protocol stack (Phil Sutter) [2094887] - proto: track full stack of seen l2 protocols, not just cumulative offset (Phil Sutter) [2094887] - netlink_delinearize: postprocess binary ands in concatenations (Phil Sutter) [2094887] - netlink_delinearize: allow postprocessing on concatenated elements (Phil Sutter) [2094887] - intervals: check for EXPR_F_REMOVE in case of element mismatch (Phil Sutter) [2115627] - intervals: fix crash when trying to remove element in empty set (Phil Sutter) [2115627] - scanner: don't pop active flex scanner scope (Phil Sutter) [2113874] - parser: add missing synproxy scope closure (Phil Sutter) [2113874] - tests/py: Add a test for failing ipsec after counter (Phil Sutter) [2113874] - doc: Document limitations of ipsec expression with xfrm_interface (Phil Sutter) [1806431] Resolves: rhbz#1806431, rhbz#2094887, rhbz#2094894, rhbz#2113874, rhbz#2115627, rhbz#2130721, rhbz#2094890
45 lines
1.4 KiB
Diff
45 lines
1.4 KiB
Diff
From f999616d8248bf51831c4eef4ea5a2fd57805857 Mon Sep 17 00:00:00 2001
|
|
From: Phil Sutter <psutter@redhat.com>
|
|
Date: Thu, 9 Feb 2023 10:15:02 +0100
|
|
Subject: [PATCH] doc: Document limitations of ipsec expression with
|
|
xfrm_interface
|
|
|
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1806431
|
|
Upstream Status: nftables commit 446e76dbde713
|
|
|
|
commit 446e76dbde713327358f17a8af6ce86b8541c836
|
|
Author: Phil Sutter <phil@nwl.cc>
|
|
Date: Thu Jun 23 17:49:20 2022 +0200
|
|
|
|
doc: Document limitations of ipsec expression with xfrm_interface
|
|
|
|
Point at a possible solution to match IPsec info of locally generated
|
|
traffic routed to an xfrm-type interface.
|
|
|
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
---
|
|
doc/primary-expression.txt | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
|
|
index f97778b..4d6b087 100644
|
|
--- a/doc/primary-expression.txt
|
|
+++ b/doc/primary-expression.txt
|
|
@@ -428,6 +428,10 @@ Destination address of the tunnel|
|
|
ipv4_addr/ipv6_addr
|
|
|=================================
|
|
|
|
+*Note:* When using xfrm_interface, this expression is not useable in output
|
|
+hook as the plain packet does not traverse it with IPsec info attached - use a
|
|
+chain in postrouting hook instead.
|
|
+
|
|
NUMGEN EXPRESSION
|
|
~~~~~~~~~~~~~~~~~
|
|
|
|
--
|
|
2.39.1
|
|
|