From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 4 00:30:02 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57C3937B401; Mon, 4 Aug 2003 00:30:02 -0700 (PDT) Received: from cocoa.syncrontech.com (cocoa-e0.syncrontech.com [62.71.8.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 21CF043F3F; Mon, 4 Aug 2003 00:30:00 -0700 (PDT) (envelope-from ari.suutari@syncrontech.com) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.19])h747TosV053777; Mon, 4 Aug 2003 10:29:52 +0300 (EEST) (envelope-from ari.suutari@syncrontech.com) Received: from coffee.syncrontech.com (coffee.syncrontech.com [62.71.8.37]) h747Tjk6076265; Mon, 4 Aug 2003 10:29:47 +0300 (EEST) (envelope-from ari.suutari@syncrontech.com) From: Ari Suutari Organization: Syncron Tech Oy To: Christian Kratzer , Christian Kratzer , Luigi Rizzo Date: Mon, 4 Aug 2003 10:29:45 +0300 User-Agent: KMail/1.5.2 References: <200307070113.h671DPeG082710@freefall.freebsd.org> <20030706234624.A45394@xorpc.icir.org> <20030710110751.L84774@majakka.cksoft.de> In-Reply-To: <20030710110751.L84774@majakka.cksoft.de> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200308041029.45598.ari.suutari@syncrontech.com> X-Scanned-By: MIMEDefang 2.24 (www . roaringpenguin . com / mimedefang) cc: freebsd-ipfw@FreeBSD.org Subject: Re: kern/53624: patches for ipfw2 to support ipsec packet filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 07:30:02 -0000 Hi, On Thursday 10 July 2003 12:12, Christian Kratzer wrote: > Hi, > > We applied the patch to a RELENG_4 system but can't seem to be able to > catch packets based on them having ipsec history or not. > > We have "options IPSEC_FILTERGIF" and "options IPFW2" in our kernel config. > > We currently have an ipsec esp tunnel running between two locations without > any gif tunnels. IPSEC_FILTERGIF seems to be working fine as packets are > now being filtered by our ipfw ruleset. > > We can't match any packets based on the ipsec or not ipsec flags in ipfw2. > > I just wanted to ask if somebody knows the obvious before I start digging > my head in the code. I did my quick testing on 5.1-RELEASE system, but I cannot really understand why the change wouldn't work on RELENG_4 also. It uses only one call which works on RELENG_4 (otherwise a system *without* IPSEC_FILTERGIF wouldn't work as expected). I have really tested with KAME ipsec. Are you using FAST_IPSEC ? Ari S.