Quoting Paul Moore ([EMAIL PROTECTED]): > Serge E. Hallyn wrote: > > Quoting Eric W. Biederman ([EMAIL PROTECTED]): > > > >>Ok. The way it looks to me is this: > >> > >>In the first network namespace connected to the outside world. > >>We setup firewall rules to look at the security association (ipsec/ipauth) > >>with the packet and depending forward that packet out different interfaces > >>depending upon our security rules. > >> > >>Each of the different outgoing interfaces hooks to a different network > >>namespace. With probably a different security level. > >> > >>The ip address is configured the same on the filter network namespace, > >>and the destination network namespaces. > >> > >>The tricky bit is that the filter network namespace needs firewall rules > >>in place so that the returning packets are not allowed to spoof each other. > > > > > > OTOH, if using the ipsec based labeling rather than cipso, that should > > take care of the spoofing as well. > > > > Using CIPSO (or any explicit labeling mechanism) should resolve the > spoofing issue as well since the packets are explicitly labeled by the > kernel.
Good point :) So network namespaces may suffice in any case. -serge -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
