Date: Tue, 11 Mar 2014 19:57:35 +0100 From: Robert Sevat <robert.sevat@live.nl> To: Nicolas DEFFAYET <nicolas@deffayet.com>, Georgios Amanakis <gamanakis@gmail.com> Cc: "melifaro@freebsd.org" <melifaro@freebsd.org>, "freebsd-bugs@freebsd.org" <freebsd-bugs@freebsd.org>, "andre@freebsd.org" <andre@freebsd.org>, "bug-followup@freebsd.org" <bug-followup@freebsd.org>, =?koi8-r?B?4czFy9PBzsTSIPfPzM/C1cXX?= <a.v.volobuev@gmail.com> Subject: RE: kern/185876: ipfw not matching incoming packets decapsulating ipsec. example l2tp/ipsec Message-ID: <DUB114-W84859A5D84219FDD583B1387770@phx.gbl> In-Reply-To: <1393627004.8727.3.camel@fr-wks3.corp.novso.com> References: <CACvFP_g4L=pK3ZmZ_kSq=OO%2BaZANA9k--n7Uhi1Tp6ULO0JHdw@mail.gmail.com>, <CACvFP_hUOjNJ69MH7Lj5thvPjCtA_81%2Bj-YbJMFqk6VfQbg2LQ@mail.gmail.com>, <1393369044.21345.1.camel@fr-wks3.corp.novso.com>, <1393627004.8727.3.camel@fr-wks3.corp.novso.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hey=2C First off all=2C thanks for the patch=2C should we wait for FreeBSD 10.1=2C= use 10.0/stable or patch it our selves? Or is this going to be issued as Errata patch for FreeBSD 10.0-Release? (wh= ich I think it should be) Kind Regards=2C Robert Sevat > Subject: Re: kern/185876: ipfw not matching incoming packets decapsulatin= g ipsec. example l2tp/ipsec > From: nicolas@deffayet.com > To: gamanakis@gmail.com > Date: Fri=2C 28 Feb 2014 23:36:44 +0100 > CC: andre@freebsd.org=3B melifaro@freebsd.org=3B a.v.volobuev@gmail.com= =3B freebsd-bugs@freebsd.org=3B bug-followup@freebsd.org >=20 > The following patch seem to be the only working workaround for IPsec > transport mode and tunnel mode. Please note the use of M_PROTO7 instead > of M_PROTO5 as that is not used in netinet & netinet6. M_PROTO5 is used > for another purpose and so using it may create a conflict like M_PROTO3. >=20 > --- > Index: netinet/ip_var.h > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- netinet/ip_var.h (revision 262470) > +++ netinet/ip_var.h (working copy) > @@ -167=2C7 +167=2C7 @@ > */ > #define M_FASTFWD_OURS M_PROTO1 /* changed dst to > local */ > #define M_IP_NEXTHOP M_PROTO2 /* explicit ip > nexthop */ > -#define M_SKIP_FIREWALL M_PROTO3 /* skip firewall > processing=2C > +#define M_SKIP_FIREWALL M_PROTO7 /* skip firewall > processing=2C > keep in sync with IP6 > */ > #define M_IP_FRAG M_PROTO4 /* fragment > reassembly */ >=20 > Index: netinet6/ip6_var.h > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- netinet6/ip6_var.h (revision 262470) > +++ netinet6/ip6_var.h (working copy) > @@ -297=2C7 +297=2C7 @@ > * IPv6 protocol layer specific mbuf flags. > */ > #define M_IP6_NEXTHOP M_PROTO2 /* explicit ip > nexthop */ > -#define M_SKIP_FIREWALL M_PROTO3 /* skip firewall > processing=2C > +#define M_SKIP_FIREWALL M_PROTO7 /* skip firewall > processing=2C > keep in sync with > IPv4 */ >=20 > #ifdef __NO_STRICT_ALIGNMENT > --- >=20 >=20 > --=20 > Nicolas DEFFAYET >=20 > _______________________________________________ > freebsd-bugs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-bugs > To unsubscribe=2C send any mail to "freebsd-bugs-unsubscribe@freebsd.org" =
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DUB114-W84859A5D84219FDD583B1387770>