kern/98219: [pf] pf needs a way of matching on decapsulated IPSEC packets

Max Laier max at love2party.net
Fri Jun 2 02:29:47 PDT 2006 

On Friday 02 June 2006 10:48, Dmitry Andrianov wrote:
> I'm not sure enc0 is the solution.
>
> Honestly, I haven't tried enc0 yet (only took a look at its sources) so
> I can be wrong. But to my understanding if you build kernel with
> FILTERGIF, then decapsulated packets will still be visible on the same
> interface original ESP packets come to (in addition to enc0). If this is
> true, there is need to allow them. Meaning there is need to distinguish
> decapsulated packets from received.

If you can see the complete decapsulated transaction (through enc0) you can 
use tagging there to mark packets out of the tunnel and pass on that tag 
later on.

I have to admit that I do very few IPSEC/vnp stuff right now so I'm not up to 
speed on all aspects of FILTERGIF etc.  Hopefully somebody else can fill in 
some more detail?

> So basically the question is how enc0 and FILTERGIF coesist together...
> If they do not, probably FILTERGIF should be deprecated in favor of
> enc0.
>
> Have to check.
>
>
> -----Original Message-----
> From: Max Laier [mailto:mlaier at FreeBSD.org]
> Sent: Friday, June 02, 2006 11:53 AM
> To: Dmitry Andrianov; mlaier at FreeBSD.org; freebsd-pf at FreeBSD.org
> Subject: Re: kern/98219: [pf] pf needs a way of matching on decapsulated
> IPSEC packets
>
> Synopsis: [pf] pf needs a way of matching on decapsulated IPSEC packets
>
> State-Changed-From-To: open->analyzed
> State-Changed-By: mlaier
> State-Changed-When: Fri Jun 2 07:51:47 UTC 2006
> State-Changed-Why:
> The solution for this is the enc(4) interface from OpenBSD.  There are
> ongoing porting efforts.
>
> http://www.freebsd.org/cgi/query-pr.cgi?pr=98219

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20060602/f412faa1/attachment.pgp

More information about the freebsd-pf mailing list