From owner-freebsd-net@FreeBSD.ORG Mon Nov 1 07:45:26 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9657E16A4CE for ; Mon, 1 Nov 2004 07:45:26 +0000 (GMT) Received: from poison2.syncrontech.com (adsl-nat.syncrontech.com [213.28.98.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id A1A5043D31 for ; Mon, 1 Nov 2004 07:45:25 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.57])iA17jOke029844; Mon, 1 Nov 2004 09:45:24 +0200 (EET) (envelope-from ari@suutari.iki.fi) Received: from coffee (coffee.syncrontech.com [62.71.8.37]) iA17jOA4017893; Mon, 1 Nov 2004 09:45:24 +0200 (EET) (envelope-from ari@suutari.iki.fi) Message-ID: <018a01c4bfe6$bea23020$2508473e@sad.syncrontech.com> From: "Ari Suutari" To: "Joost Bekkers" References: <200410300927.51286.ari@suutari.iki.fi> <20041030214212.GA1737@bps.jodocus.org> Date: Mon, 1 Nov 2004 09:45:18 +0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 cc: freebsd-net@freebsd.org Subject: Re: ipfw and ipsec processing order for outgoing packets wrong X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2004 07:45:26 -0000 Hi, > > I've been pondering the same issue and am currently running 5.3-R modified > in the > way you've described. (diff at http://jodocus.org/ipsec-pfil.diff I'm not > an > experienced kernel-hacker, so use at own risk) Great, I'll have to try this. > > For IPSEC this also means that the resulting ESP and AH packets don't > traverse the > firewall when leaving the system. (at least if I read the code correctly; > not tested) Yes, it looks like that with kame ipsec one should leave the or9iginal pfil_hook code *also* in place. Maybe something like ip_output() { #if defined (IPSEC) || defined(FAST_IPSEC) pfil_hooks() #endif #ifdef IPSEC kame_ipsec_stuff() #endif #ifdef FAST_IPSEC fast_ipsec_stuff() #endif #ifndef FAST_IPSEC pfil_hooks() #endif Ari S.