From owner-freebsd-hackers  Fri Jan 11 14:36:29 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from smtpzilla5.xs4all.nl (smtpzilla5.xs4all.nl [194.109.127.141])
	by hub.freebsd.org (Postfix) with ESMTP id E625837B416
	for <hackers@freebsd.org>; Fri, 11 Jan 2002 14:36:23 -0800 (PST)
Received: from grand.canyon.xs4all.nl (canyon.xs4all.nl [194.109.195.185])
	by smtpzilla5.xs4all.nl (8.12.0/8.12.0) with ESMTP id g0BMaLvS029863;
	Fri, 11 Jan 2002 23:36:22 +0100 (CET)
Received: by grand.canyon.xs4all.nl (Postfix, from userid 1000)
	id A5D1E5FA9; Fri, 11 Jan 2002 23:36:21 +0100 (CET)
Received: from meandrix.tunix.nl (localhost [127.0.0.1])
	by grand.canyon.xs4all.nl (Postfix) with ESMTP
	id 6F8165DB2; Fri, 11 Jan 2002 23:36:21 +0100 (CET)
Date: Fri, 11 Jan 2002 23:36:23 +0100
Subject: Filtering packets received through an ipsec tunnel 
Content-Type: text/plain; charset=US-ASCII; format=flowed
Mime-Version: 1.0 (Apple Message framework v480)
From: Rene de Vries <rene@canyon.xs4all.nl>
To: hackers@freebsd.org
Content-Transfer-Encoding: 7bit
Message-Id: <A3F0121C-06E3-11D6-A736-00039357FA7A@canyon.xs4all.nl>
X-Mailer: Apple Mail (2.480)
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Hello,

By experimenting with ipsec and looking at the source of "ip_input.c" a 
co-worker and I found the following out.

When a ipsec tunnel packet is received this (protocol 50/51) packet is 
passed through ip-filter (& co). After filtering and when it has been 
determent that the current host is the destination (tunnel end-point), 
this packet is decrypted/verified. The decrypted packet is then pushed 
back into the queue that leads to ip_input(...). So far so good....

But once in ip_input(...) the filtering code is skipped and we were 
wondering why.

I know that ipsec has some handles to be able to filter on address, 
protocol and/or port. But for more complex situations this is not 
enough. In these situations it would be nice to be able to use 
ip-filter (& co) on traffic from the tunnel (and also for traffic going 
into the tunnel).

I was wondering why this is implemented the way it is. Maybe someone on 
this list could shed a light on this?

Rene
--
Rene de Vries <rene@tcja.nl>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message