Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 16 Oct 2002 11:04:46 +0200
From:      Guido van Rooij <guido@gvr.org>
To:        cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/sys/netinet ip_input.c
Message-ID:  <20021016090446.GA7156@gvr.gvr.org>
In-Reply-To: <200210160901.g9G91mPW034448@repoman.freebsd.org>
References:  <200210160901.g9G91mPW034448@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
2 comments:
1) ipsec_gethist is not used anyware anymore, yet I didn't
want to change too much in Kame related stuff.
2) Itojun seemed to be too busy to come up with a definate answer so
I decided to just do the commit.

-Guido

On Wed, Oct 16, 2002 at 02:01:48AM -0700, Guido van Rooij wrote:
> guido       2002/10/16 02:01:48 PDT
> 
>   Modified files:
>     sys/netinet          ip_input.c 
>   Log:
>   Get rid of checking for ip sec history. It is true that packets are not
>   supposed to be checked by the firewall rules twice. However, because the
>   various ipsec handlers never call ip_input(), this never happens anyway.
>   
>   This fixes the situation where a gif tunnel is encrypted with IPsec. In
>   such a case, after IPsec processing, the unencrypted contents from the
>   GIF tunnel are fed back to the ipintrq and subsequently handeld by
>   ip_input(). Yet, since there still is IPSec history attached, the
>   packets coming out from the gif device are never fed into the filtering
>   code.
>   This fix was sent to Itojun, and he pointed towartds
>       http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction.
>   This patch actually implements what is stated there (specifically:
>   Packet came from tunnel devices (gif(4) and ipip(4)) will still
>   go through ipf(4). You may need to identify these packets by
>   using interface name directive in ipf.conf(5).
>   
>   Reviewed by:    rwatson
>   MFC after:      3 weeks
>   
>   Revision  Changes    Path
>   1.214     +0 -5      src/sys/netinet/ip_input.c
> http://cvsweb.FreeBSD.org/src/sys/netinet/ip_input.c.diff?r1=1.213&r2=1.214

-- 
Guido van Rooij		 	      |  Phone: ++31 653 994 773
Madison Gurkha, Technology Think-Tank |
guido@madison-gurkha.com 	      |  FreeBSD committer

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021016090446.GA7156>