Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 22 Mar 2001 07:20:26 -0800 (PST)
From:      Mike Harding <mvh@ix.netcom.com>
To:        itojun@iijlab.net
Cc:        freebsd-security@freebsd.org
Subject:   Re: IPSEC/VPN/NAT and filtering
Message-ID:  <20010322152026.1996C1142A7@netcom1.netcom.com>
In-Reply-To: <20010322145947.42FF27E75@starfruit.itojun.org> (message from Jun-ichiro itojun Hagino on Thu, 22 Mar 2001 23:59:47 %2B0900)
References:   <20010322145947.42FF27E75@starfruit.itojun.org>

next in thread | previous in thread | raw e-mail | index | archive | help

Itojun -

I am not part of the FreeBSD team, but I would like to do a little
work to incorporate this functionality and ideally I can present it to
the right folks and get it folded in.  Of course if you are merging
your code back in then that would be fine as well...

One more question, could you tell me what the following flags mean?

#define M_LOOP		M_PROTO4
#define M_AUTHIPDGM	M_PROTO5

I assume that M_AUTHIPDGM is _always_ set for good packets, esp and
ah, and thus is a good check for skipping the packet filter for packet
input.  I think that packet output doesn't need any special
processing, but I will check into it.

- Mike Harding


   Cc: freebsd-security@freebsd.org
   X-Template-Reply-To: itojun@itojun.org
   X-Template-Return-Receipt-To: itojun@itojun.org
   X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD  90 5F B4 60 79 54 16 E2
   From: Jun-ichiro itojun Hagino <itojun@iijlab.net>
   Date: Thu, 22 Mar 2001 23:59:47 +0900
   Sender: itojun@itojun.org
   X-SpamBouncer: 1.3 (1/18/00)
   X-SBClass: OK


   >The referenced function ipsec_gethist() does not appear to exist in
   >the FreeBSD tree.

	   yeah, this was introduced into kame tree recently.

   >Could the modified mbuf flags M_DECRYPTED,
   >M_AUTHIPHDR, etc used to determine packets reinjected by ipsec?  If
   >so, then something like
   >#ifdef IPSEC
   >+       if (m->m_flags & (M_DECRYPTED | M_AUTHIPHDR))
   >+               goto pass;
   >+#endif
   >would do what I need if applied against the current code base.  This
   >would make packets processed by ipsec skip the packet filter on the
   >second pass through ip_input.c.  I am sorry if I am using the flags
   >improperly but I didn't find documentation on them after looking
   >around a bit.
   >Would this in general work?  Seems fairly clean...

	   better than now, but not perfect.
	   with the above, tunnelled AH packet will go through again into ip
	   packet filter.  more exactly, when ip_input looks at the following
	   packet, the packet will go through ip packet filter twice (one for
	   IP1, one for IP2).
		   IP1 AH IP2 payload
	   if you take the route (i'm okay with it) i guess you want to
	   put some notes into documents.

   itojun


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010322152026.1996C1142A7>