From owner-freebsd-ipfw@FreeBSD.ORG  Mon Aug  4 00:30:02 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 57C3937B401; Mon,  4 Aug 2003 00:30:02 -0700 (PDT)
Received: from cocoa.syncrontech.com (cocoa-e0.syncrontech.com [62.71.8.66])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 21CF043F3F; Mon,  4 Aug 2003 00:30:00 -0700 (PDT)
	(envelope-from ari.suutari@syncrontech.com)
Received: from guinness.syncrontech.com (guinness.syncrontech.com
	[62.71.8.19])h747TosV053777;	Mon, 4 Aug 2003 10:29:52 +0300 (EEST)
	(envelope-from ari.suutari@syncrontech.com)
Received: from coffee.syncrontech.com (coffee.syncrontech.com [62.71.8.37])
	h747Tjk6076265;	Mon, 4 Aug 2003 10:29:47 +0300 (EEST)
	(envelope-from ari.suutari@syncrontech.com)
From: Ari Suutari <ari.suutari@syncrontech.com>
Organization: Syncron Tech Oy
To: Christian Kratzer <ck@cksoft.de>,
	Christian Kratzer <ck-lists@cksoft.de>,
	Luigi Rizzo <luigi@FreeBSD.org>
Date: Mon, 4 Aug 2003 10:29:45 +0300
User-Agent: KMail/1.5.2
References: <200307070113.h671DPeG082710@freefall.freebsd.org>
	<20030706234624.A45394@xorpc.icir.org>
	<20030710110751.L84774@majakka.cksoft.de>
In-Reply-To: <20030710110751.L84774@majakka.cksoft.de>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200308041029.45598.ari.suutari@syncrontech.com>
X-Scanned-By: MIMEDefang 2.24 (www . roaringpenguin . com / mimedefang)
cc: freebsd-ipfw@FreeBSD.org
Subject: Re: kern/53624: patches for ipfw2 to support ipsec packet filtering
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Aug 2003 07:30:02 -0000

Hi,

On Thursday 10 July 2003 12:12, Christian Kratzer wrote:
> Hi,
>
> We applied the patch to a RELENG_4 system but can't seem to be able to
> catch packets based on them having ipsec history or not.
>
> We have "options IPSEC_FILTERGIF" and "options IPFW2" in our kernel config.
>
> We currently have an ipsec esp tunnel running between two locations without
> any gif tunnels.  IPSEC_FILTERGIF seems to be working fine as packets are
> now being filtered by our ipfw ruleset.
>
> We can't match any packets based on the ipsec or not ipsec flags in ipfw2.
>
> I just wanted to ask if somebody knows the obvious before I start digging
> my head in the code.

	I did my quick testing on 5.1-RELEASE system, but I cannot really 
	understand why the change wouldn't work on RELENG_4 also.
	It uses only one call which works on RELENG_4 (otherwise a system
	*without* IPSEC_FILTERGIF wouldn't work as expected).

	I have really tested with KAME ipsec. Are you using FAST_IPSEC ?

		Ari S.