ipfw and ipsec processing order for outgoing packets wrong
Ari Suutari
ari at suutari.iki.fi
Sun Oct 31 23:45:26 PST 2004
Hi,
>
> I've been pondering the same issue and am currently running 5.3-R modified
> in the
> way you've described. (diff at http://jodocus.org/ipsec-pfil.diff I'm not
> an
> experienced kernel-hacker, so use at own risk)
Great, I'll have to try this.
>
> For IPSEC this also means that the resulting ESP and AH packets don't
> traverse the
> firewall when leaving the system. (at least if I read the code correctly;
> not tested)
Yes, it looks like that with kame ipsec one should leave the or9iginal
pfil_hook code *also* in place. Maybe something like
ip_output()
{
#if defined (IPSEC) || defined(FAST_IPSEC)
pfil_hooks()
#endif
#ifdef IPSEC
kame_ipsec_stuff()
#endif
#ifdef FAST_IPSEC
fast_ipsec_stuff()
#endif
#ifndef FAST_IPSEC
pfil_hooks()
#endif
Ari S.
More information about the freebsd-net
mailing list