From owner-freebsd-ipfw Mon Feb 10 8:43:19 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5ED4037B405; Mon, 10 Feb 2003 08:43:18 -0800 (PST) Received: from mta10.srv.hcvlny.cv.net (mta10.srv.hcvlny.cv.net [167.206.5.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 807C643F85; Mon, 10 Feb 2003 08:43:16 -0800 (PST) (envelope-from agapon@cv-nj.com) Received: from asv10.srv.hcvlny.cv.net (asv10.srv.hcvlny.cv.net [167.206.5.38]) by mta10.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 1.05 (built Nov 6 2002)) with ESMTP id <0HA300H23QG1K1@mta10.srv.hcvlny.cv.net>; Mon, 10 Feb 2003 11:43:16 -0500 (EST) Received: from terminus.foundation.invalid (ool-4355489e.dyn.optonline.net [67.85.72.158]) by asv10.srv.hcvlny.cv.net (8.12.6/8.11.6) with ESMTP id h1AGh566028297; Mon, 10 Feb 2003 11:43:10 -0500 (EST) Received: from edge.foundation.invalid (edge.foundation.invalid [192.168.1.12]) by terminus.foundation.invalid (8.12.6/8.12.3) with ESMTP id h1AGh4Eb038324; Mon, 10 Feb 2003 11:43:04 -0500 (EST envelope-from agapon@cv-nj.com) Received: from localhost (localhost.foundation.invalid [127.0.0.1]) by edge.foundation.invalid (8.12.6/8.12.6) with ESMTP id h1AGh4Wl053498; Mon, 10 Feb 2003 11:43:04 -0500 (EST envelope-from agapon@cv-nj.com) Date: Mon, 10 Feb 2003 11:43:04 -0500 (EST) From: Andriy Gapon Subject: ipsec & ipfw: 4.7-release vs -stable X-X-Sender: avg@edge.foundation.invalid To: freebsd-ipfw@freebsd.org, freebsd-security@freebsd.org Message-id: <20030210114213.P53494@edge.foundation.invalid> MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Is there any remedy expected before 4.8 release for the situation with ipsec & ipfw interaction that was created after 'ip_input.c 1.130.2.40, MFC: 1.214' ? The reason I am asking this question with such a big crosspost is that it seems that all previous discussions on this topic resulted in nothing. And this change definetely breaks things for those who use ipsec without extra stuff like gif tunnels. It definetely doesn't look like a kind of change welcomed in -stable branch, not mentioning a potential security vulnaribity for those who can not use gif. I apologize in the case I have missed any latest developments in this area. -- Andriy Gapon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message