Date: Thu, 22 Mar 2001 23:59:47 +0900 From: Jun-ichiro itojun Hagino <itojun@iijlab.net> To: Mike Harding <mvh@ix.netcom.com> Cc: freebsd-security@freebsd.org Subject: Re: IPSEC/VPN/NAT and filtering Message-ID: <20010322145947.42FF27E75@starfruit.itojun.org> In-Reply-To: mvh's message of Thu, 22 Mar 2001 04:32:18 PST. <20010322123218.742C2114132@netcom1.netcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>The referenced function ipsec_gethist() does not appear to exist in >the FreeBSD tree. yeah, this was introduced into kame tree recently. >Could the modified mbuf flags M_DECRYPTED, >M_AUTHIPHDR, etc used to determine packets reinjected by ipsec? If >so, then something like >#ifdef IPSEC >+ if (m->m_flags & (M_DECRYPTED | M_AUTHIPHDR)) >+ goto pass; >+#endif >would do what I need if applied against the current code base. This >would make packets processed by ipsec skip the packet filter on the >second pass through ip_input.c. I am sorry if I am using the flags >improperly but I didn't find documentation on them after looking >around a bit. >Would this in general work? Seems fairly clean... better than now, but not perfect. with the above, tunnelled AH packet will go through again into ip packet filter. more exactly, when ip_input looks at the following packet, the packet will go through ip packet filter twice (one for IP1, one for IP2). IP1 AH IP2 payload if you take the route (i'm okay with it) i guess you want to put some notes into documents. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010322145947.42FF27E75>