From owner-freebsd-pf@FreeBSD.ORG Fri Jun 2 09:29:47 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4921416A420 for ; Fri, 2 Jun 2006 09:29:47 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8281843D49 for ; Fri, 2 Jun 2006 09:29:46 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.180.174] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1Fm5yS3YcV-0001aj; Fri, 02 Jun 2006 11:29:45 +0200 From: Max Laier Organization: FreeBSD To: "Dmitry Andrianov" Date: Fri, 2 Jun 2006 11:29:36 +0200 User-Agent: KMail/1.9.1 References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart6065878.7nNhq8ztjc"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200606021129.42805.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-pf@freebsd.org Subject: Re: kern/98219: [pf] pf needs a way of matching on decapsulated IPSEC packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2006 09:29:47 -0000 --nextPart6065878.7nNhq8ztjc Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 02 June 2006 10:48, Dmitry Andrianov wrote: > I'm not sure enc0 is the solution. > > Honestly, I haven't tried enc0 yet (only took a look at its sources) so > I can be wrong. But to my understanding if you build kernel with > FILTERGIF, then decapsulated packets will still be visible on the same > interface original ESP packets come to (in addition to enc0). If this is > true, there is need to allow them. Meaning there is need to distinguish > decapsulated packets from received. If you can see the complete decapsulated transaction (through enc0) you can= =20 use tagging there to mark packets out of the tunnel and pass on that tag=20 later on. I have to admit that I do very few IPSEC/vnp stuff right now so I'm not up = to=20 speed on all aspects of FILTERGIF etc. Hopefully somebody else can fill in= =20 some more detail? > So basically the question is how enc0 and FILTERGIF coesist together... > If they do not, probably FILTERGIF should be deprecated in favor of > enc0. > > Have to check. > > > -----Original Message----- > From: Max Laier [mailto:mlaier@FreeBSD.org] > Sent: Friday, June 02, 2006 11:53 AM > To: Dmitry Andrianov; mlaier@FreeBSD.org; freebsd-pf@FreeBSD.org > Subject: Re: kern/98219: [pf] pf needs a way of matching on decapsulated > IPSEC packets > > Synopsis: [pf] pf needs a way of matching on decapsulated IPSEC packets > > State-Changed-From-To: open->analyzed > State-Changed-By: mlaier > State-Changed-When: Fri Jun 2 07:51:47 UTC 2006 > State-Changed-Why: > The solution for this is the enc(4) interface from OpenBSD. There are > ongoing porting efforts. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D98219 =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart6065878.7nNhq8ztjc Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEgAUGXyyEoT62BG0RAg/7AJ0cQXwqrN2CIUVeEVzecXpwEvlscQCeKQKI eZBzW5+Bi/VT7Lh4Xo7JsBc= =HqIs -----END PGP SIGNATURE----- --nextPart6065878.7nNhq8ztjc--