Date: Fri, 2 Jun 2006 11:29:36 +0200 From: Max Laier <max@love2party.net> To: "Dmitry Andrianov" <dimas@dataart.com> Cc: freebsd-pf@freebsd.org Subject: Re: kern/98219: [pf] pf needs a way of matching on decapsulated IPSEC packets Message-ID: <200606021129.42805.max@love2party.net> In-Reply-To: <D5972F49810A69449A9EA72A4B360DC2D0A1CD@e1.universe.dart.spb> References: <D5972F49810A69449A9EA72A4B360DC2D0A1CD@e1.universe.dart.spb>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Friday 02 June 2006 10:48, Dmitry Andrianov wrote: > I'm not sure enc0 is the solution. > > Honestly, I haven't tried enc0 yet (only took a look at its sources) so > I can be wrong. But to my understanding if you build kernel with > FILTERGIF, then decapsulated packets will still be visible on the same > interface original ESP packets come to (in addition to enc0). If this is > true, there is need to allow them. Meaning there is need to distinguish > decapsulated packets from received. If you can see the complete decapsulated transaction (through enc0) you can use tagging there to mark packets out of the tunnel and pass on that tag later on. I have to admit that I do very few IPSEC/vnp stuff right now so I'm not up to speed on all aspects of FILTERGIF etc. Hopefully somebody else can fill in some more detail? > So basically the question is how enc0 and FILTERGIF coesist together... > If they do not, probably FILTERGIF should be deprecated in favor of > enc0. > > Have to check. > > > -----Original Message----- > From: Max Laier [mailto:mlaier@FreeBSD.org] > Sent: Friday, June 02, 2006 11:53 AM > To: Dmitry Andrianov; mlaier@FreeBSD.org; freebsd-pf@FreeBSD.org > Subject: Re: kern/98219: [pf] pf needs a way of matching on decapsulated > IPSEC packets > > Synopsis: [pf] pf needs a way of matching on decapsulated IPSEC packets > > State-Changed-From-To: open->analyzed > State-Changed-By: mlaier > State-Changed-When: Fri Jun 2 07:51:47 UTC 2006 > State-Changed-Why: > The solution for this is the enc(4) interface from OpenBSD. There are > ongoing porting efforts. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=98219 -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEgAUGXyyEoT62BG0RAg/7AJ0cQXwqrN2CIUVeEVzecXpwEvlscQCeKQKI eZBzW5+Bi/VT7Lh4Xo7JsBc= =HqIs -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200606021129.42805.max>