From owner-cvs-all Wed Oct 16 2: 4:53 2002 Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B6A1437B401; Wed, 16 Oct 2002 02:04:51 -0700 (PDT) Received: from gvr.gvr.org (gvr.gvr.org [212.61.40.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id ECD8443E8A; Wed, 16 Oct 2002 02:04:49 -0700 (PDT) (envelope-from guido@gvr.org) Received: by gvr.gvr.org (Postfix, from userid 657) id 563A61A9; Wed, 16 Oct 2002 11:04:46 +0200 (CEST) Date: Wed, 16 Oct 2002 11:04:46 +0200 From: Guido van Rooij To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_input.c Message-ID: <20021016090446.GA7156@gvr.gvr.org> References: <200210160901.g9G91mPW034448@repoman.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200210160901.g9G91mPW034448@repoman.freebsd.org> Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG 2 comments: 1) ipsec_gethist is not used anyware anymore, yet I didn't want to change too much in Kame related stuff. 2) Itojun seemed to be too busy to come up with a definate answer so I decided to just do the commit. -Guido On Wed, Oct 16, 2002 at 02:01:48AM -0700, Guido van Rooij wrote: > guido 2002/10/16 02:01:48 PDT > > Modified files: > sys/netinet ip_input.c > Log: > Get rid of checking for ip sec history. It is true that packets are not > supposed to be checked by the firewall rules twice. However, because the > various ipsec handlers never call ip_input(), this never happens anyway. > > This fixes the situation where a gif tunnel is encrypted with IPsec. In > such a case, after IPsec processing, the unencrypted contents from the > GIF tunnel are fed back to the ipintrq and subsequently handeld by > ip_input(). Yet, since there still is IPSec history attached, the > packets coming out from the gif device are never fed into the filtering > code. > This fix was sent to Itojun, and he pointed towartds > http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction. > This patch actually implements what is stated there (specifically: > Packet came from tunnel devices (gif(4) and ipip(4)) will still > go through ipf(4). You may need to identify these packets by > using interface name directive in ipf.conf(5). > > Reviewed by: rwatson > MFC after: 3 weeks > > Revision Changes Path > 1.214 +0 -5 src/sys/netinet/ip_input.c > http://cvsweb.FreeBSD.org/src/sys/netinet/ip_input.c.diff?r1=1.213&r2=1.214 -- Guido van Rooij | Phone: ++31 653 994 773 Madison Gurkha, Technology Think-Tank | guido@madison-gurkha.com | FreeBSD committer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message