From owner-freebsd-security Thu Mar 22 4:32:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from hall.mail.mindspring.net (hall.mail.mindspring.net [207.69.200.60]) by hub.freebsd.org (Postfix) with ESMTP id 8C91E37B71F for ; Thu, 22 Mar 2001 04:32:23 -0800 (PST) (envelope-from mvh@ix.netcom.com) Received: from netcom1.netcom.com (lai-ca3a-201.ix.netcom.com [209.110.240.201]) by hall.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id HAA25337; Thu, 22 Mar 2001 07:32:20 -0500 (EST) Received: by netcom1.netcom.com (Postfix, from userid 1000) id 742C2114132; Thu, 22 Mar 2001 04:32:18 -0800 (PST) From: Mike Harding To: itojun@iijlab.net Cc: freebsd-security@freebsd.org In-reply-to: <10518.985201829@coconut.itojun.org> Subject: Re: IPSEC/VPN/NAT and filtering References: <10518.985201829@coconut.itojun.org> Message-Id: <20010322123218.742C2114132@netcom1.netcom.com> Date: Thu, 22 Mar 2001 04:32:18 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The referenced function ipsec_gethist() does not appear to exist in the FreeBSD tree. Could the modified mbuf flags M_DECRYPTED, M_AUTHIPHDR, etc used to determine packets reinjected by ipsec? If so, then something like #ifdef IPSEC + if (m->m_flags & (M_DECRYPTED | M_AUTHIPHDR)) + goto pass; +#endif would do what I need if applied against the current code base. This would make packets processed by ipsec skip the packet filter on the second pass through ip_input.c. I am sorry if I am using the flags improperly but I didn't find documentation on them after looking around a bit. Would this in general work? Seems fairly clean... - Mike H. > not sure if it works, but anyway, here it is. > http://orange.kame.net/dev/cvsweb.cgi/kame/freebsd4/sys/netinet/ip_input.c.diff?r1=1.16&r2=1.17 > (based on 4.2-RELEASE) NOTE: it will need latest kame ipsec tree/backend. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message