Date: Fri, 2 Jun 2006 11:29:36 +0200 From: Max Laier <max@love2party.net> To: "Dmitry Andrianov" <dimas@dataart.com> Cc: freebsd-pf@freebsd.org Subject: Re: kern/98219: [pf] pf needs a way of matching on decapsulated IPSEC packets Message-ID: <200606021129.42805.max@love2party.net> In-Reply-To: <D5972F49810A69449A9EA72A4B360DC2D0A1CD@e1.universe.dart.spb> References: <D5972F49810A69449A9EA72A4B360DC2D0A1CD@e1.universe.dart.spb>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart6065878.7nNhq8ztjc Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 02 June 2006 10:48, Dmitry Andrianov wrote: > I'm not sure enc0 is the solution. > > Honestly, I haven't tried enc0 yet (only took a look at its sources) so > I can be wrong. But to my understanding if you build kernel with > FILTERGIF, then decapsulated packets will still be visible on the same > interface original ESP packets come to (in addition to enc0). If this is > true, there is need to allow them. Meaning there is need to distinguish > decapsulated packets from received. If you can see the complete decapsulated transaction (through enc0) you can= =20 use tagging there to mark packets out of the tunnel and pass on that tag=20 later on. I have to admit that I do very few IPSEC/vnp stuff right now so I'm not up = to=20 speed on all aspects of FILTERGIF etc. Hopefully somebody else can fill in= =20 some more detail? > So basically the question is how enc0 and FILTERGIF coesist together... > If they do not, probably FILTERGIF should be deprecated in favor of > enc0. > > Have to check. > > > -----Original Message----- > From: Max Laier [mailto:mlaier@FreeBSD.org] > Sent: Friday, June 02, 2006 11:53 AM > To: Dmitry Andrianov; mlaier@FreeBSD.org; freebsd-pf@FreeBSD.org > Subject: Re: kern/98219: [pf] pf needs a way of matching on decapsulated > IPSEC packets > > Synopsis: [pf] pf needs a way of matching on decapsulated IPSEC packets > > State-Changed-From-To: open->analyzed > State-Changed-By: mlaier > State-Changed-When: Fri Jun 2 07:51:47 UTC 2006 > State-Changed-Why: > The solution for this is the enc(4) interface from OpenBSD. There are > ongoing porting efforts. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D98219 =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart6065878.7nNhq8ztjc Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEgAUGXyyEoT62BG0RAg/7AJ0cQXwqrN2CIUVeEVzecXpwEvlscQCeKQKI eZBzW5+Bi/VT7Lh4Xo7JsBc= =HqIs -----END PGP SIGNATURE----- --nextPart6065878.7nNhq8ztjc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200606021129.42805.max>