From owner-freebsd-hackers Fri Jan 11 23:54:40 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from relay2.agava.net.ru (ofc.agava.net [213.59.3.194]) by hub.freebsd.org (Postfix) with ESMTP id 29DA937B416 for ; Fri, 11 Jan 2002 23:54:37 -0800 (PST) Received: from hellbell.domain (hellbell.domain [192.168.1.12]) by relay2.agava.net.ru (Postfix) with ESMTP id 574B266A60 for ; Sat, 12 Jan 2002 10:54:34 +0300 (MSK) Received: from localhost (localhost [127.0.0.1]) by hellbell.domain (Postfix) with ESMTP id 328A1CD0C for ; Sat, 12 Jan 2002 10:54:34 +0300 (MSK) Date: Sat, 12 Jan 2002 10:54:34 +0300 (MSK) From: Alexey Zakirov X-X-Sender: Cc: Subject: Re: Filtering packets received through an ipsec tunnel In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, 11 Jan 2002, Rene de Vries wrote: > I know that ipsec has some handles to be able to filter on address, > protocol and/or port. But for more complex situations this is not > enough. In these situations it would be nice to be able to use > ip-filter (& co) on traffic from the tunnel (and also for traffic going > into the tunnel). > > I was wondering why this is implemented the way it is. Maybe someone on > this list could shed a light on this? Even worse. This behavior has broke my complicated ipsec/tunnel-gif/natd setup about summer (when it was committed) so I had to patch ip_input.c :( *** WBR, Alexey Zakirov (frank@agava.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message