Impossible to IPfilter this?

[Gerhard Sittig]

On Tue, Jun 10, 2003 at 16:07 -0700, Crist J. Clark wrote:
> 
> Here's what happens (approximately), the packets get fed to the
> ip_input() routine. They pass through IPFilter then IPFW. Later they
> find themselves in IPsec processing where the packets are taken out of
> the tunnel. At this point, the packets are fed back into ip_input(),
> BUT the reinjected packets skip all firewall processing on this
> pass. With the IPSEC_FILTERGIF option set, the packets _will_ go
> through the firewall, IPFilter then IPFW, after IPsec processing.

In this scenario (would I be in the situation to have to filter
this traffic:) I would wish for some flag or "handle" to recognize
the different times the packet runs through the filter.  There is
quite a hugh difference between "letting ESP/AH in at fxp0 and
accept IPv4 -- maybe RFC1918 adresses -- from this tunnel (but
not otherwise)" and "letting ESP/AH as well as IPv4 in at fxp0".
Not wanting or having to extend the established filter syntax or
the programming interface already laid out almost naturely makes
the "interface" property of a packet one such handle.

OpenBSD has enc(4) for this IIUC.  FreeBSD doesn't have something
similar.  Granted this only came up when the IPSEC_FILTERGIF
option was introduced.  But it could be useful to either say
"post IPsec decapsulation (no matter which tunnel was used)" by
passing an "enc" interface together with the packet.  Or by
specifying something like "interface fpx0-ipsec" (in the generic
or dynamically negotiated SA case) or "interface fpx0-$SA" (when
configured manually by means of ipsec.conf or so).  But sketching
these approaches I see how more and more questions bubble up ... :)


virtually yours   82D1 9B9C 01DC 4FB4 D7B4  61BE 3F49 4F77 72DE DA76
Gerhard Sittig   true | mail -s "get gpg key" Gerhard.Sittig at gmx.net
-- 
     If you don't understand or are scared by any of the above
             ask your parents or an adult to help you.