Date: Sun, 13 Jan 2002 18:01:35 +0100 From: Rene de Vries <rene@canyon.xs4all.nl> To: net@freebsd.org Subject: Filtering packets received through an ipsec tunnel Message-ID: <3386757E-0847-11D6-882A-00039357FA7A@canyon.xs4all.nl>
next in thread | raw e-mail | index | archive | help
Hello, > This message was already posted to hackers@freebsd.org, but with > limited success. I'm hoping that someone on net@freebsd.org can give me > some more information. By experimenting with ipsec and looking at the source of "ip_input.c" a co-worker and I found the following out. When a ipsec tunnel packet is received this (protocol 50/51) packet is passed through ip-filter (& co). After filtering and when it has been determent that the current host is the destination (tunnel end-point), this packet is decrypted/verified. The decrypted packet is then pushed back into the queue that leads to ip_input(...). So far so good.... But once in ip_input(...) the filtering code is skipped and we were wondering why. I know that ipsec has some handles to be able to filter on address, protocol and/or port. But for more complex situations this is not enough. In these situations it would be nice to be able to use ip-filter (& co) on traffic from the tunnel (and also for traffic going into the tunnel). I was wondering why this is implemented the way it is. Maybe someone on this list could shed a light on this? Rene -- Rene de Vries <rene@tcja.nl> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3386757E-0847-11D6-882A-00039357FA7A>