On Friday 02 June 2006 10:48, Dmitry Andrianov wrote:
> I'm not sure enc0 is the solution.
>
> Honestly, I haven't tried enc0 yet (only took a look
at its sources) so
> I can be wrong. But to my understanding if you build
kernel with
> FILTERGIF, then decapsulated packets will still be
visible on the same
> interface original ESP packets come to (in addition to
enc0). If this is
> true, there is need to allow them. Meaning there is
need to distinguish
> decapsulated packets from received.
If you can see the complete decapsulated transaction
(through enc0) you can
use tagging there to mark packets out of the tunnel and pass
on that tag
later on.
I have to admit that I do very few IPSEC/vnp stuff right now
so I'm not up to
speed on all aspects of FILTERGIF etc. Hopefully somebody
else can fill in
some more detail?
> So basically the question is how enc0 and FILTERGIF
coesist together...
> If they do not, probably FILTERGIF should be deprecated
in favor of
> enc0.
>
> Have to check.
>
>
> -----Original Message-----
> From: Max Laier [mailto:mlaier FreeBSD.org]
> Sent: Friday, June 02, 2006 11:53 AM
> To: Dmitry Andrianov; mlaierFreeBSD.org; freebsd-pfFreeBSD.org
> Subject: Re: kern/98219: [pf] pf needs a way of
matching on decapsulated
> IPSEC packets
>
> Synopsis: [pf] pf needs a way of matching on
decapsulated IPSEC packets
>
> State-Changed-From-To: open->analyzed
> State-Changed-By: mlaier
> State-Changed-When: Fri Jun 2 07:51:47 UTC 2006
> State-Changed-Why:
> The solution for this is the enc(4) interface from
OpenBSD. There are
> ongoing porting efforts.
>
> http
://www.freebsd.org/cgi/query-pr.cgi?pr=98219
--
/"\ Best regards, | mlaierfreebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.l
ove2party.net/ | mlaierEFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail
and News
|