From owner-freebsd-hackers  Mon Nov  5  3:54:14 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from relay2.agava.net.ru (ofc.agava.net [213.59.3.194])
	by hub.freebsd.org (Postfix) with ESMTP id 0151E37B416
	for <freebsd-hackers@freebsd.org>; Mon,  5 Nov 2001 03:54:11 -0800 (PST)
Received: from hellbell.domain (hellbell.domain [192.168.1.12])
	by relay2.agava.net.ru (Postfix) with ESMTP id 510E7667CA
	for <freebsd-hackers@freebsd.org>; Mon,  5 Nov 2001 14:54:09 +0300 (MSK)
Received: from localhost (localhost [127.0.0.1])
	by hellbell.domain (Postfix) with ESMTP id 61772CCFC
	for <freebsd-hackers@freebsd.org>; Mon,  5 Nov 2001 14:54:07 +0300 (MSK)
Date: Mon, 5 Nov 2001 14:54:07 +0300 (MSK)
From: Alexey Zakirov <frank@agava.com>
X-X-Sender:  <frank@hellbell.domain>
To: <freebsd-hackers@freebsd.org>
Subject: ipsec processing order
Message-ID: <Pine.BSF.4.32.0111051440020.24854-100000@hellbell.domain>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

	Hail!

I have a complicated ip tunnel setup with ipsec encrypting. It's a
netgraph udp tunnel that runs over ipsec in transport mode. On my side I
have a natd which make NAT on tunneled ip.

This was working fine until ip_input.c version 1.130.2.23. After that
processed IPSEC packets have no chances to get back in ipfw so I
can't catch them and direct into natd. I've found this change only
yersterday because I didn't upgrade my gateway machine for 3 months.

Could someone explain me why incoming ipsec packets automatically pass
ipfw processing?

ip_input.c:
+#ifdef IPSEC
+       if (ipsec_gethist(m, NULL))
+               goto pass;
+#endif

*** WBR, Alexey Zakirov (frank@agava.com)


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message