Date: Fri, 2 Jun 2006 12:48:42 +0400 From: "Dmitry Andrianov" <dimas@dataart.com> To: "Max Laier" <mlaier@FreeBSD.org>, <freebsd-pf@FreeBSD.org> Subject: RE: kern/98219: [pf] pf needs a way of matching on decapsulated IPSEC packets Message-ID: <D5972F49810A69449A9EA72A4B360DC2D0A1CD@e1.universe.dart.spb>
next in thread | raw e-mail | index | archive | help
Max, I'm not sure enc0 is the solution. Honestly, I haven't tried enc0 yet (only took a look at its sources) so I can be wrong. But to my understanding if you build kernel with FILTERGIF, then decapsulated packets will still be visible on the same interface original ESP packets come to (in addition to enc0). If this is true, there is need to allow them. Meaning there is need to distinguish decapsulated packets from received. So basically the question is how enc0 and FILTERGIF coesist together... If they do not, probably FILTERGIF should be deprecated in favor of enc0. Have to check. =20 -----Original Message----- From: Max Laier [mailto:mlaier@FreeBSD.org]=20 Sent: Friday, June 02, 2006 11:53 AM To: Dmitry Andrianov; mlaier@FreeBSD.org; freebsd-pf@FreeBSD.org Subject: Re: kern/98219: [pf] pf needs a way of matching on decapsulated IPSEC packets Synopsis: [pf] pf needs a way of matching on decapsulated IPSEC packets State-Changed-From-To: open->analyzed State-Changed-By: mlaier State-Changed-When: Fri Jun 2 07:51:47 UTC 2006 State-Changed-Why:=20 The solution for this is the enc(4) interface from OpenBSD. There are ongoing porting efforts. http://www.freebsd.org/cgi/query-pr.cgi?pr=3D98219
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D5972F49810A69449A9EA72A4B360DC2D0A1CD>