From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 19 11:30:05 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7609237B401; Thu, 19 Jun 2003 11:30:05 -0700 (PDT) Received: from osku.suutari.iki.fi (osku.syncrontech.com [213.28.98.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8875143F3F; Thu, 19 Jun 2003 11:30:03 -0700 (PDT) (envelope-from ari@suutari.iki.fi) Received: from raisa (raisa.lemi.suutari.iki.fi [192.168.53.2]) by osku.suutari.iki.fi (8.12.8p1/8.12.8) with SMTP id h5JIU0np081070; Thu, 19 Jun 2003 21:30:00 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <000901c33691$4d4bd8c0$0235a8c0@raisa> From: "Ari Suutari" To: "clemens fischer" References: <200306191331.40421.ari.suutari@syncrontech.com> Date: Thu, 19 Jun 2003 21:33:33 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 cc: freebsd-ipfw@freebsd.org cc: freebsd-net@freebsd.org Subject: Re: patches for ipsec packet filtering support in ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jun 2003 18:30:05 -0000 Hi, > * Ari Suutari: > > > Here are two small patches (done on 5.1-RELEASE, but should be ok > > for -current also) which add new "ipsec" flag to ipfw2. > > i did not receive any attachments. will this functionality be > included into freebsd-5 in the future? Does the mailing list strip attachments ? Here they are one for /sys/netinet and other for /usr/src/sbin/ipfw: This is for /sys/netinet: Index: ip_fw.h =================================================================== RCS file: /net/pommac/scratch/freebsd-cvs/src/sys/netinet/ip_fw.h,v retrieving revision 1.76.2.1 diff -u -r1.76.2.1 ip_fw.h --- ip_fw.h 4 Jun 2003 02:19:36 -0000 1.76.2.1 +++ ip_fw.h 19 Jun 2003 08:17:44 -0000 @@ -119,6 +119,7 @@ O_TEE, /* arg1=port number */ O_FORWARD_IP, /* fwd sockaddr */ O_FORWARD_MAC, /* fwd mac */ + O_IPSEC, /* has ipsec history */ O_LAST_OPCODE /* not an opcode! */ }; Index: ip_fw2.c =================================================================== RCS file: /net/pommac/scratch/freebsd-cvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.28.2.1 diff -u -r1.28.2.1 ip_fw2.c --- ip_fw2.c 4 Jun 2003 02:19:36 -0000 1.28.2.1 +++ ip_fw2.c 19 Jun 2003 18:24:40 -0000 @@ -1787,6 +1787,14 @@ (TH_RST | TH_ACK | TH_SYN)) != TH_SYN); break; + case O_IPSEC: +#ifdef IPSEC + match = (ipsec_gethist(m, NULL) != NULL); +#else + match = 0; +#endif + break; + case O_LOG: if (fw_verbose) ipfw_log(f, hlen, args->eh, m, oif); @@ -2378,6 +2386,7 @@ case O_TCPFLAGS: case O_TCPOPTS: case O_ESTAB: + case O_IPSEC: case O_VERREVPATH: if (cmdlen != F_INSN_SIZE(ipfw_insn)) goto bad_size; --------------- This is for /usr/src/sbin/ipfw: Index: ipfw.8 =================================================================== RCS file: /net/pommac/scratch/freebsd-cvs/src/sbin/ipfw/ipfw.8,v retrieving revision 1.122 diff -u -r1.122 ipfw.8 --- ipfw.8 15 Mar 2003 01:13:00 -0000 1.122 +++ ipfw.8 19 Jun 2003 10:21:30 -0000 @@ -835,6 +835,8 @@ specified as argument. .It Cm established Matches TCP packets that have the RST or ACK bits set. +.It Cm ipsec +Matches IP packets that have originated from IPsec stack. .It Cm frag Matches packets that are fragments and not the first fragment of an IP datagram. Note that these packets will not have Index: ipfw2.c =================================================================== RCS file: /net/pommac/scratch/freebsd-cvs/src/sbin/ipfw/ipfw2.c,v retrieving revision 1.23.2.1 diff -u -r1.23.2.1 ipfw2.c --- ipfw2.c 4 Jun 2003 02:19:36 -0000 1.23.2.1 +++ ipfw2.c 19 Jun 2003 08:25:33 -0000 @@ -242,6 +242,7 @@ TOK_DROPTAIL, TOK_PROTO, TOK_WEIGHT, + TOK_IPSEC, }; struct _s_x dummynet_params[] = { @@ -335,6 +336,7 @@ { "mac", TOK_MAC }, { "mac-type", TOK_MACTYPE }, { "verrevpath", TOK_VERREVPATH }, + { "ipsec", TOK_IPSEC }, { "not", TOK_NOT }, /* pseudo option */ { "!", /* escape ? */ TOK_NOT }, /* pseudo option */ @@ -1131,6 +1133,10 @@ printf(" established"); break; + case O_IPSEC: + printf(" ipsec"); + break; + case O_TCPFLAGS: print_flags("tcpflags", cmd, f_tcpflags); break; @@ -3050,6 +3056,10 @@ case TOK_ESTAB: fill_cmd(cmd, O_ESTAB, 0, 0); + break; + + case TOK_IPSEC: + fill_cmd(cmd, O_IPSEC, 0, 0); break; case TOK_SETUP: -- Ari S.