From owner-freebsd-net@FreeBSD.ORG Mon Nov 1 02:43:44 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29C7816A4CF for ; Mon, 1 Nov 2004 02:43:44 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD4B443D5D for ; Mon, 1 Nov 2004 02:43:43 +0000 (GMT) (envelope-from vincepoy@gmail.com) Received: by rproxy.gmail.com with SMTP id 79so102162rnk for ; Sun, 31 Oct 2004 18:43:42 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=iULeYIKZMEMzFAMKmzbdf2eg7zbO5CZib6jSTZlp9BGTC9GqI+gm+koBc8IK/CJofvnOMbC82JDzjP0BfvDINuwMJK2smFnK8ujfR7ujRK5IuwBeM/oIXRZNqr8v3RbQLiYgKOuPtfZG591BFJQtPDjNRSROde0u6SXmwNNYfRg= Received: by 10.38.66.34 with SMTP id o34mr469021rna; Sun, 31 Oct 2004 18:43:42 -0800 (PST) Received: by 10.38.14.49 with HTTP; Sun, 31 Oct 2004 18:43:42 -0800 (PST) Message-ID: <429af92e04103118435b35f235@mail.gmail.com> Date: Sun, 31 Oct 2004 18:43:42 -0800 From: Vincent Poy To: Ari Suutari , Andre Oppermann , freebsd-net@freebsd.org, freebsd-current@freebsd.org In-Reply-To: <200410300927.51286.ari@suutari.iki.fi> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <200410300927.51286.ari@suutari.iki.fi> Subject: Re: ipfw and ipsec processing order for outgoing packets wrong X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Vincent Poy List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2004 02:43:44 -0000 I am experiencing the same problem as well when I updated from a March 6, 2004 -CURRENT to the October 19, 2004 -CURRENT. The problem still exists with the October 27, 2004 -CURRENT. I'm using ipfw/dummynet for outgoing queues with the ACK packets having the highest priority in it's own queue. However, it seems like while the queues are there, the information on ipfw queue show doesn't update at all as the Source and Destination IP is still the same as the first packet after bootup while the counters change but the ACK packets are not sent on it's own queue but rather with all other packets. I know it is related with pfil_hook when ipfw was converted. Cheers, Vince On Sat, 30 Oct 2004 09:27:50 +0300, Ari Suutari wrote: > Hi, > > I noticed that processing order of ipsec and ipfw (pfil_hook) is not > correct for outgoing packets. Currently, ipsec processing is done first, > which makes packets to go through without firewall inspection. > This might be a security problem for someone, but at least it > breaks stateful rule handling. > > My test setup is (all freebsd 5.3-rc1 machines): > > freebsd laptop <-> ipsec tunnel <->freebsd server > > When server sends packet to laptop, it now goes like this: > > ip_output -> ipsec -> ip_output -> ipfw -> network > > It should go like this: > > ip_output -> ipfw -> ipsec -> ip_output -> ipfw -> network > > I think that this could be fixed by just moving pfil_hook > processing in ip_output before ipsec processing. > > Ari S. > > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" > >