Date: Thu, 21 Nov 2002 09:57:54 -0800 (PST) From: Archie Cobbs <archie@dellroad.org> To: Guido van Rooij <guido@gvr.org> Cc: David Kelly <dkelly@hiwaay.net>, "Patrick M. Hausen" <hausen@punkt.de>, Helge Oldach <freebsd-stable-21nov02@oldach.net>, archie@dellroad.org, sullrich@CRE8.COM, greg.panula@dolaninformation.com, FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION AND QUESTIONS Message-ID: <200211211757.gALHvsQg066238@arch20m.dellroad.org> In-Reply-To: <20021121165237.GB98848@gvr.gvr.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Guido van Rooij wrote: > > An esp0 or ipsec0 device would provide the handle ipfw needs. > > That is excatly what I wanted to say earlier. > > But beware: this is only true in tunnel mode. > > In transport mode, the KAME stack calls the subprotocol handler > directly and, unless you set up your ipsec such that the decrypted > packets actually are tunneled packets using a gif interface, you will > never be able to catch the packets with a packet filter! This should be easy to fix though. Just have esp_input() requeue the packets on ipintrq instead of calling (*inetsw[ip_protox[nxt]].pr_input) directly. Of course, resetting m->m_pkthdr.rcvif to an appropriate value ("esp0" or whatever) would have to be done first. This shouldn't change the functionality in any way, except that the unencrypted packet will now pass through BPF and ipfw again. Note: fixing the ipfw and IPSec interaction is great, but another important benefit of fixing all this stuff is being able to use tcpdump on esp0 and gif0 to see packets at all of the various stages of encryption/decryption and encapsulation/de-encapsuation. We should make full BPF support another goal of our redesign. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211211757.gALHvsQg066238>