From owner-freebsd-net@FreeBSD.ORG Thu Dec 9 13:46:14 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C7F9516A4CF for ; Thu, 9 Dec 2004 13:46:14 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 08A6F43D3F for ; Thu, 9 Dec 2004 13:46:14 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 85141 invoked from network); 9 Dec 2004 13:36:00 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 9 Dec 2004 13:36:00 -0000 Message-ID: <41B85729.40F00890@freebsd.org> Date: Thu, 09 Dec 2004 14:46:17 +0100 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Jeremie Le Hen References: <20041129100949.GA19560@bps.jodocus.org> <41AAF696.6ED81FBF@freebsd.org> <20041129103031.GA19828@bps.jodocus.org> <41AB3A74.8C05601D@freebsd.org> <20041129174954.GA26532@bps.jodocus.org> <41AB65B2.A18534BF@freebsd.org> <20041206134315.GF79919@obiwan.tataz.chchile.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: Joost Bekkers cc: freebsd-net@freebsd.org Subject: Re: (review request) ipfw and ipsec processing order for outgoingpackets X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Dec 2004 13:46:14 -0000 Jeremie Le Hen wrote: > > > > > > I have some stuff wrt [Fast]IPSEC and your problem in the works and > > > > > it should become ready around christmas time (loadable [Fast]IPSEC, at > > > > > least for IPv4). > > > > > > > > While this way of 'fixing' the IPSEC problem works it is rather gross > > > > and not very stylish. I prefer not to have this in the tree as makes > > > > maintainance a lot harder. > > > > > > I totaly agree that it is not pretty. I was trying to avoid duplicating > > > the code (so every change would have to be made twice) and making it a > > > function didn't sit right for some reason. Hints/tips for dealing with > > > this kind of situation are welcome, but maybe better off-list. > > > > As things currently are with IPSEC code weaved directly into ip_input() > > and ip_output() there is no better way than what you have proposed. > > > > It will solve it much more nicely. :) > > If I understand correctly, either Joost's patch or your nice changes > that-should-appear-before-christmas will achieve what the OpenBSD enc(4) > interface provides [1]. It would be really wonderful. But I may be > missing something because I can see no way in firewall rules to > distinguish between the before IPSec processing hook and the after IPSec > processing one. Could you clarify this for me please ? With the changes you can chose whether you want to do firewallig before ipsec processing or after but not both. The enc(4) pseudo device looks interesting but I haven't looked at the code. Maybe that makes things easier. I'll look into it. -- Andre