Date: Thu, 02 Jan 2003 21:22:26 +0100 From: Eric Masson <e-masson@kisoft-services.com> To: Pekka Nikander <pekka.nikander@nomadiclab.com> Cc: freebsd-net@FreeBSD.ORG Subject: Re: IPsec / ipfw interaction in 4.7-STABLE: a proposed change Message-ID: <86k7hnz4hp.fsf@notbsdems.nantes.kisoft-services.com> In-Reply-To: <3E144753.7020905@nomadiclab.com> (Pekka Nikander's message of "Thu, 02 Jan 2003 16:06:11 %2B0200") References: <3E144753.7020905@nomadiclab.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "Pekka" == Pekka Nikander <pekka.nikander@nomadiclab.com> writes: Pekka> Now, as a small step to that direction I made the following Pekka> small hack to netinet6/esp_input.c It changes the ESP tunneled Pekka> packets to look like they were coming from the loopback Pekka> interface. And it works like charm. However, this is not a Pekka> proper fix, and a better one might be to increment NLOOP and use Pekka> loif[1] instead of loif[0]. Opinions? Seems pretty close to what OpenBSD has implemented, except they don't use the stock loopback interface. Their enc(4) driver is a software loopback interface : http://www.openbsd.org/cgi-bin/man.cgi?query=enc&sektion=4&arch=i386&apropos=0&manpath=OpenBSD+Current It's used in src/sys/netinet/ipsec_input.c to impersonate the incoming interface just as you did in your patch. I'd like to know whether there would be any interest in associating a different interface to each incoming SPD entry or just use only one interface for all incoming SPD entries ? Regards Eric Masson -- «Comme annoncé dans fr.usenet.forums.annonces récemment, le vote pour la destruction/remplacement du groupe fr.comp.os.linux a reussi et est donc detruit.» -+- Control in Guide du linuxien pervers - "BSD a encore frappé" -+- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86k7hnz4hp.fsf>