From owner-freebsd-security Thu Mar 22 7: 0: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from starfruit.itojun.org (ipv6host1.laptops.meeting.ietf.org [135.222.63.249]) by hub.freebsd.org (Postfix) with ESMTP id 9D72837B71E for ; Thu, 22 Mar 2001 07:00:06 -0800 (PST) (envelope-from itojun@itojun.org) Received: from itojun.org (localhost [127.0.0.1]) by starfruit.itojun.org (Postfix) with ESMTP id 42FF27E75; Thu, 22 Mar 2001 23:59:47 +0900 (JST) To: Mike Harding Cc: freebsd-security@freebsd.org In-reply-to: mvh's message of Thu, 22 Mar 2001 04:32:18 PST. <20010322123218.742C2114132@netcom1.netcom.com> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPSEC/VPN/NAT and filtering From: Jun-ichiro itojun Hagino Date: Thu, 22 Mar 2001 23:59:47 +0900 Message-Id: <20010322145947.42FF27E75@starfruit.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >The referenced function ipsec_gethist() does not appear to exist in >the FreeBSD tree. yeah, this was introduced into kame tree recently. >Could the modified mbuf flags M_DECRYPTED, >M_AUTHIPHDR, etc used to determine packets reinjected by ipsec? If >so, then something like >#ifdef IPSEC >+ if (m->m_flags & (M_DECRYPTED | M_AUTHIPHDR)) >+ goto pass; >+#endif >would do what I need if applied against the current code base. This >would make packets processed by ipsec skip the packet filter on the >second pass through ip_input.c. I am sorry if I am using the flags >improperly but I didn't find documentation on them after looking >around a bit. >Would this in general work? Seems fairly clean... better than now, but not perfect. with the above, tunnelled AH packet will go through again into ip packet filter. more exactly, when ip_input looks at the following packet, the packet will go through ip packet filter twice (one for IP1, one for IP2). IP1 AH IP2 payload if you take the route (i'm okay with it) i guess you want to put some notes into documents. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message