Date: Wed, 16 Oct 2002 02:01:48 -0700 (PDT) From: Guido van Rooij <guido@FreeBSD.org> To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/netinet ip_input.c Message-ID: <200210160901.g9G91mPW034448@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
guido 2002/10/16 02:01:48 PDT Modified files: sys/netinet ip_input.c Log: Get rid of checking for ip sec history. It is true that packets are not supposed to be checked by the firewall rules twice. However, because the various ipsec handlers never call ip_input(), this never happens anyway. This fixes the situation where a gif tunnel is encrypted with IPsec. In such a case, after IPsec processing, the unencrypted contents from the GIF tunnel are fed back to the ipintrq and subsequently handeld by ip_input(). Yet, since there still is IPSec history attached, the packets coming out from the gif device are never fed into the filtering code. This fix was sent to Itojun, and he pointed towartds http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction. This patch actually implements what is stated there (specifically: Packet came from tunnel devices (gif(4) and ipip(4)) will still go through ipf(4). You may need to identify these packets by using interface name directive in ipf.conf(5). Reviewed by: rwatson MFC after: 3 weeks Revision Changes Path 1.214 +0 -5 src/sys/netinet/ip_input.c To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210160901.g9G91mPW034448>