From owner-freebsd-security Thu Mar 22 7:21:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from barry.mail.mindspring.net (barry.mail.mindspring.net [207.69.200.25]) by hub.freebsd.org (Postfix) with ESMTP id 3478337B719 for ; Thu, 22 Mar 2001 07:21:14 -0800 (PST) (envelope-from mvh@ix.netcom.com) Received: from netcom1.netcom.com (lai-ca3a-201.ix.netcom.com [209.110.240.201]) by barry.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id KAA15722; Thu, 22 Mar 2001 10:20:53 -0500 (EST) Received: by netcom1.netcom.com (Postfix, from userid 1000) id 1996C1142A7; Thu, 22 Mar 2001 07:20:26 -0800 (PST) From: Mike Harding To: itojun@iijlab.net Cc: freebsd-security@freebsd.org In-reply-to: <20010322145947.42FF27E75@starfruit.itojun.org> (message from Jun-ichiro itojun Hagino on Thu, 22 Mar 2001 23:59:47 +0900) Subject: Re: IPSEC/VPN/NAT and filtering References: <20010322145947.42FF27E75@starfruit.itojun.org> Message-Id: <20010322152026.1996C1142A7@netcom1.netcom.com> Date: Thu, 22 Mar 2001 07:20:26 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Itojun - I am not part of the FreeBSD team, but I would like to do a little work to incorporate this functionality and ideally I can present it to the right folks and get it folded in. Of course if you are merging your code back in then that would be fine as well... One more question, could you tell me what the following flags mean? #define M_LOOP M_PROTO4 #define M_AUTHIPDGM M_PROTO5 I assume that M_AUTHIPDGM is _always_ set for good packets, esp and ah, and thus is a good check for skipping the packet filter for packet input. I think that packet output doesn't need any special processing, but I will check into it. - Mike Harding Cc: freebsd-security@freebsd.org X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 From: Jun-ichiro itojun Hagino Date: Thu, 22 Mar 2001 23:59:47 +0900 Sender: itojun@itojun.org X-SpamBouncer: 1.3 (1/18/00) X-SBClass: OK >The referenced function ipsec_gethist() does not appear to exist in >the FreeBSD tree. yeah, this was introduced into kame tree recently. >Could the modified mbuf flags M_DECRYPTED, >M_AUTHIPHDR, etc used to determine packets reinjected by ipsec? If >so, then something like >#ifdef IPSEC >+ if (m->m_flags & (M_DECRYPTED | M_AUTHIPHDR)) >+ goto pass; >+#endif >would do what I need if applied against the current code base. This >would make packets processed by ipsec skip the packet filter on the >second pass through ip_input.c. I am sorry if I am using the flags >improperly but I didn't find documentation on them after looking >around a bit. >Would this in general work? Seems fairly clean... better than now, but not perfect. with the above, tunnelled AH packet will go through again into ip packet filter. more exactly, when ip_input looks at the following packet, the packet will go through ip packet filter twice (one for IP1, one for IP2). IP1 AH IP2 payload if you take the route (i'm okay with it) i guess you want to put some notes into documents. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message