Date: Mon, 1 Nov 2004 09:45:18 +0200 From: "Ari Suutari" <ari@suutari.iki.fi> To: "Joost Bekkers" <joost@jodocus.org> Cc: freebsd-net@freebsd.org Subject: Re: ipfw and ipsec processing order for outgoing packets wrong Message-ID: <018a01c4bfe6$bea23020$2508473e@sad.syncrontech.com> References: <200410300927.51286.ari@suutari.iki.fi> <20041030214212.GA1737@bps.jodocus.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, > > I've been pondering the same issue and am currently running 5.3-R modified > in the > way you've described. (diff at http://jodocus.org/ipsec-pfil.diff I'm not > an > experienced kernel-hacker, so use at own risk) Great, I'll have to try this. > > For IPSEC this also means that the resulting ESP and AH packets don't > traverse the > firewall when leaving the system. (at least if I read the code correctly; > not tested) Yes, it looks like that with kame ipsec one should leave the or9iginal pfil_hook code *also* in place. Maybe something like ip_output() { #if defined (IPSEC) || defined(FAST_IPSEC) pfil_hooks() #endif #ifdef IPSEC kame_ipsec_stuff() #endif #ifdef FAST_IPSEC fast_ipsec_stuff() #endif #ifndef FAST_IPSEC pfil_hooks() #endif Ari S.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?018a01c4bfe6$bea23020$2508473e>