Date: Thu, 22 Mar 2001 04:32:18 -0800 (PST) From: Mike Harding <mvh@ix.netcom.com> To: itojun@iijlab.net Cc: freebsd-security@freebsd.org Subject: Re: IPSEC/VPN/NAT and filtering Message-ID: <20010322123218.742C2114132@netcom1.netcom.com> In-Reply-To: <10518.985201829@coconut.itojun.org> References: <10518.985201829@coconut.itojun.org>
next in thread | previous in thread | raw e-mail | index | archive | help
The referenced function ipsec_gethist() does not appear to exist in the FreeBSD tree. Could the modified mbuf flags M_DECRYPTED, M_AUTHIPHDR, etc used to determine packets reinjected by ipsec? If so, then something like #ifdef IPSEC + if (m->m_flags & (M_DECRYPTED | M_AUTHIPHDR)) + goto pass; +#endif would do what I need if applied against the current code base. This would make packets processed by ipsec skip the packet filter on the second pass through ip_input.c. I am sorry if I am using the flags improperly but I didn't find documentation on them after looking around a bit. Would this in general work? Seems fairly clean... - Mike H. > not sure if it works, but anyway, here it is. > http://orange.kame.net/dev/cvsweb.cgi/kame/freebsd4/sys/netinet/ip_input.c.diff?r1=1.16&r2=1.17 > (based on 4.2-RELEASE) NOTE: it will need latest kame ipsec tree/backend. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010322123218.742C2114132>