From owner-cvs-all  Wed Oct 16  2: 1:52 2002
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id E4AF037B401; Wed, 16 Oct 2002 02:01:50 -0700 (PDT)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id A91FE43E9E; Wed, 16 Oct 2002 02:01:50 -0700 (PDT)
	(envelope-from guido@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id g9G91mmV034449;
	Wed, 16 Oct 2002 02:01:48 -0700 (PDT)
	(envelope-from guido@repoman.freebsd.org)
Received: (from guido@localhost)
	by repoman.freebsd.org (8.12.6/8.12.6/Submit) id g9G91mPW034448;
	Wed, 16 Oct 2002 02:01:48 -0700 (PDT)
Message-Id: <200210160901.g9G91mPW034448@repoman.freebsd.org>
From: Guido van Rooij <guido@FreeBSD.org>
Date: Wed, 16 Oct 2002 02:01:48 -0700 (PDT)
To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: cvs commit: src/sys/netinet ip_input.c
X-FreeBSD-CVS-Branch: HEAD
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

guido       2002/10/16 02:01:48 PDT

  Modified files:
    sys/netinet          ip_input.c 
  Log:
  Get rid of checking for ip sec history. It is true that packets are not
  supposed to be checked by the firewall rules twice. However, because the
  various ipsec handlers never call ip_input(), this never happens anyway.
  
  This fixes the situation where a gif tunnel is encrypted with IPsec. In
  such a case, after IPsec processing, the unencrypted contents from the
  GIF tunnel are fed back to the ipintrq and subsequently handeld by
  ip_input(). Yet, since there still is IPSec history attached, the
  packets coming out from the gif device are never fed into the filtering
  code.
  This fix was sent to Itojun, and he pointed towartds
      http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction.
  This patch actually implements what is stated there (specifically:
  Packet came from tunnel devices (gif(4) and ipip(4)) will still
  go through ipf(4). You may need to identify these packets by
  using interface name directive in ipf.conf(5).
  
  Reviewed by:    rwatson
  MFC after:      3 weeks
  
  Revision  Changes    Path
  1.214     +0 -5      src/sys/netinet/ip_input.c

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message