Quoting Eric W. Biederman ([EMAIL PROTECTED]): > Ok. The way it looks to me is this: > > In the first network namespace connected to the outside world. > We setup firewall rules to look at the security association (ipsec/ipauth) > with the packet and depending forward that packet out different interfaces > depending upon our security rules. > > Each of the different outgoing interfaces hooks to a different network > namespace. With probably a different security level. > > The ip address is configured the same on the filter network namespace, > and the destination network namespaces. > > The tricky bit is that the filter network namespace needs firewall rules > in place so that the returning packets are not allowed to spoof each other.
OTOH, if using the ipsec based labeling rather than cipso, that should take care of the spoofing as well. -serge -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
