From owner-freebsd-stable Tue Nov 19 10:56:24 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1574437B401 for ; Tue, 19 Nov 2002 10:56:23 -0800 (PST) Received: from gvr.gvr.org (gvr.gvr.org [212.61.40.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 522D943E42 for ; Tue, 19 Nov 2002 10:56:07 -0800 (PST) (envelope-from guido@gvr.org) Received: by gvr.gvr.org (Postfix, from userid 657) id 502422A2; Tue, 19 Nov 2002 19:55:35 +0100 (CET) Date: Tue, 19 Nov 2002 19:55:35 +0100 From: Guido van Rooij To: David Kelly Cc: Scott Ullrich , 'Archie Cobbs' , "'greg.panula@dolaninformation.com'" , FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec packets seen on wrong interface by ipfw (was Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw?) Message-ID: <20021119185535.GC43039@gvr.gvr.org> References: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C35@exchange.corp.cre8.com> <20021119110336.GA12956@gvr.gvr.org> <200211190754.29355.dkelly@HiWAAY.net> <20021119150826.GA42097@gvr.gvr.org> <20021119161129.GA63943@grumpy.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021119161129.GA63943@grumpy.dyndns.org> Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Nov 19, 2002 at 10:11:29AM -0600, David Kelly wrote: > > Once the ipsec history is removed from the packet then how/what/where is > the packet tagged as having come from? In my case it appears to have It is tagged as any other packet. > retained properties of the ESP packet it was encased within. Don't > really know as I don't have multiple interfaces with ESP packets. The > system is in production so I can't casually swap interfaces to verify. > > At some point since early October when this system was previously > updated these IPsec packets started appearing on the wrong interface in > ipfw. Currently only one end of my link is updated, the other end is > running with the same configuration it has used for the past 9 months. > With configured (but apparently unused) gif and everything. What do you mean with wrong interface? What I did was remove the ipsec history check in ip_input(). What happens in you case is that ip packet come in, are fed into ipfw, then they are decrypted in esp_input() and then fed into the ip subprotocol directly from esp_input(). The code I removed only appears in the first call to ip_input(), but the code would not have any effect in that case. The only way that this removal could have an effect is when esp_input() called xxx_input() which in turn calls ip_input() again. Since you are not using a tunneling device, this does not happen. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message