From owner-freebsd-pf@FreeBSD.ORG Fri Jun 2 08:50:38 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A586016A59D; Fri, 2 Jun 2006 08:50:38 +0000 (UTC) (envelope-from dimas@dataart.com) Received: from relay1.dataart.com (fobos.marketsite.ru [62.152.84.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3797C43D45; Fri, 2 Jun 2006 08:50:38 +0000 (GMT) (envelope-from dimas@dataart.com) Received: from e1.universe.dart.spb ([192.168.10.44]) by relay1.dataart.com with esmtp (Exim 4.62) (envelope-from ) id 1Fm5Ma-000728-Lc; Fri, 02 Jun 2006 12:50:36 +0400 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Fri, 2 Jun 2006 12:48:42 +0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: kern/98219: [pf] pf needs a way of matching on decapsulated IPSEC packets Thread-Index: AcaGHOa4e0YD6jFySTSlbI89RPhAFQAA7YxQ From: "Dmitry Andrianov" To: "Max Laier" , Cc: Subject: RE: kern/98219: [pf] pf needs a way of matching on decapsulated IPSEC packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2006 08:50:38 -0000 Max, I'm not sure enc0 is the solution. Honestly, I haven't tried enc0 yet (only took a look at its sources) so I can be wrong. But to my understanding if you build kernel with FILTERGIF, then decapsulated packets will still be visible on the same interface original ESP packets come to (in addition to enc0). If this is true, there is need to allow them. Meaning there is need to distinguish decapsulated packets from received. So basically the question is how enc0 and FILTERGIF coesist together... If they do not, probably FILTERGIF should be deprecated in favor of enc0. Have to check. =20 -----Original Message----- From: Max Laier [mailto:mlaier@FreeBSD.org]=20 Sent: Friday, June 02, 2006 11:53 AM To: Dmitry Andrianov; mlaier@FreeBSD.org; freebsd-pf@FreeBSD.org Subject: Re: kern/98219: [pf] pf needs a way of matching on decapsulated IPSEC packets Synopsis: [pf] pf needs a way of matching on decapsulated IPSEC packets State-Changed-From-To: open->analyzed State-Changed-By: mlaier State-Changed-When: Fri Jun 2 07:51:47 UTC 2006 State-Changed-Why:=20 The solution for this is the enc(4) interface from OpenBSD. There are ongoing porting efforts. http://www.freebsd.org/cgi/query-pr.cgi?pr=3D98219