Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 22 Mar 2001 23:59:47 +0900
From:      Jun-ichiro itojun Hagino <itojun@iijlab.net>
To:        Mike Harding <mvh@ix.netcom.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: IPSEC/VPN/NAT and filtering 
Message-ID:  <20010322145947.42FF27E75@starfruit.itojun.org>
In-Reply-To: mvh's message of Thu, 22 Mar 2001 04:32:18 PST. <20010322123218.742C2114132@netcom1.netcom.com> 

next in thread | previous in thread | raw e-mail | index | archive | help

>The referenced function ipsec_gethist() does not appear to exist in
>the FreeBSD tree.

	yeah, this was introduced into kame tree recently.

>Could the modified mbuf flags M_DECRYPTED,
>M_AUTHIPHDR, etc used to determine packets reinjected by ipsec?  If
>so, then something like
>#ifdef IPSEC
>+       if (m->m_flags & (M_DECRYPTED | M_AUTHIPHDR))
>+               goto pass;
>+#endif
>would do what I need if applied against the current code base.  This
>would make packets processed by ipsec skip the packet filter on the
>second pass through ip_input.c.  I am sorry if I am using the flags
>improperly but I didn't find documentation on them after looking
>around a bit.
>Would this in general work?  Seems fairly clean...

	better than now, but not perfect.
	with the above, tunnelled AH packet will go through again into ip
	packet filter.  more exactly, when ip_input looks at the following
	packet, the packet will go through ip packet filter twice (one for
	IP1, one for IP2).
		IP1 AH IP2 payload
	if you take the route (i'm okay with it) i guess you want to
	put some notes into documents.

itojun

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010322145947.42FF27E75>