Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 21 Nov 2002 09:57:54 -0800 (PST)
From:      Archie Cobbs <archie@dellroad.org>
To:        Guido van Rooij <guido@gvr.org>
Cc:        David Kelly <dkelly@hiwaay.net>, "Patrick M. Hausen" <hausen@punkt.de>, Helge Oldach <freebsd-stable-21nov02@oldach.net>, archie@dellroad.org, sullrich@CRE8.COM, greg.panula@dolaninformation.com, FreeBSD-stable@FreeBSD.ORG
Subject:   Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION AND QUESTIONS
Message-ID:  <200211211757.gALHvsQg066238@arch20m.dellroad.org>
In-Reply-To: <20021121165237.GB98848@gvr.gvr.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Guido van Rooij wrote:
> > An esp0 or ipsec0 device would provide the handle ipfw needs.
> 
> That is excatly what I wanted to say earlier.
> 
> But beware: this is only true in tunnel mode.
> 
> In transport mode, the KAME stack calls the subprotocol handler
> directly and, unless you set up your ipsec such that the decrypted
> packets actually are tunneled packets using a gif interface, you will
> never be able to catch the packets with a packet filter!

This should be easy to fix though. Just have esp_input() requeue
the packets on ipintrq instead of calling (*inetsw[ip_protox[nxt]].pr_input)
directly. Of course, resetting m->m_pkthdr.rcvif to an appropriate
value ("esp0" or whatever) would have to be done first.

This shouldn't change the functionality in any way, except that the
unencrypted packet will now pass through BPF and ipfw again.

Note: fixing the ipfw and IPSec interaction is great, but another
important benefit of fixing all this stuff is being able to use
tcpdump on esp0 and gif0 to see packets at all of the various stages
of encryption/decryption and encapsulation/de-encapsuation. We should
make full BPF support another goal of our redesign.

-Archie

__________________________________________________________________________
Archie Cobbs     *     Packet Design     *     http://www.packetdesign.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211211757.gALHvsQg066238>