From owner-freebsd-net Thu Jan 2 12:22:51 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C769E37B401 for ; Thu, 2 Jan 2003 12:22:49 -0800 (PST) Received: from musique.teaser.net (musique.teaser.net [213.91.2.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7164743ED1 for ; Thu, 2 Jan 2003 12:22:48 -0800 (PST) (envelope-from e-masson@kisoft-services.com) Received: from notbsdems.nantes.kisoft-services.com (nantes.kisoft-services.com [193.56.60.243]) by musique.teaser.net (Postfix) with ESMTP id 23FE1725E6; Thu, 2 Jan 2003 21:22:42 +0100 (CET) Received: by notbsdems.nantes.kisoft-services.com (Postfix, from userid 1001) id 639BD5A7C7; Thu, 2 Jan 2003 21:22:27 +0100 (CET) To: Pekka Nikander Cc: freebsd-net@FreeBSD.ORG Subject: Re: IPsec / ipfw interaction in 4.7-STABLE: a proposed change From: Eric Masson In-Reply-To: <3E144753.7020905@nomadiclab.com> (Pekka Nikander's message of "Thu, 02 Jan 2003 16:06:11 +0200") References: <3E144753.7020905@nomadiclab.com> X-Operating-System: FreeBSD 4.7-STABLE i386 Date: Thu, 02 Jan 2003 21:22:26 +0100 Message-ID: <86k7hnz4hp.fsf@notbsdems.nantes.kisoft-services.com> User-Agent: Gnus/5.090008 (Oort Gnus v0.08) XEmacs/21.4 (Common Lisp, i386--freebsd) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> "Pekka" == Pekka Nikander writes: Pekka> Now, as a small step to that direction I made the following Pekka> small hack to netinet6/esp_input.c It changes the ESP tunneled Pekka> packets to look like they were coming from the loopback Pekka> interface. And it works like charm. However, this is not a Pekka> proper fix, and a better one might be to increment NLOOP and use Pekka> loif[1] instead of loif[0]. Opinions? Seems pretty close to what OpenBSD has implemented, except they don't use the stock loopback interface. Their enc(4) driver is a software loopback interface : http://www.openbsd.org/cgi-bin/man.cgi?query=enc&sektion=4&arch=i386&apropos=0&manpath=OpenBSD+Current It's used in src/sys/netinet/ipsec_input.c to impersonate the incoming interface just as you did in your patch. I'd like to know whether there would be any interest in associating a different interface to each incoming SPD entry or just use only one interface for all incoming SPD entries ? Regards Eric Masson -- «Comme annoncé dans fr.usenet.forums.annonces récemment, le vote pour la destruction/remplacement du groupe fr.comp.os.linux a reussi et est donc detruit.» -+- Control in Guide du linuxien pervers - "BSD a encore frappé" -+- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message