kern/53624: patches for ipfw2 to support ipsec packet filtering

Ari Suutari ari.suutari at syncrontech.com
Mon Jun 30 22:40:19 PDT 2003 

The following reply was made to PR kern/53624; it has been noted by GNATS.

From: Ari Suutari <ari.suutari at syncrontech.com>
To: freebsd-gnats-submit at FreeBSD.org, ari.suutari at syncrontech.com
Cc:  
Subject: Re: kern/53624: patches for ipfw2 to support ipsec packet filtering
Date: Tue, 1 Jul 2003 08:33:41 +0300

 Here is a new patch for /sys/netinet/ip_fw2.c, which
 adds support for FAST_IPSEC also (untested, but I believe that
 it should work due to change being simple). 
 
 
 Index: ip_fw.h
 ===================================================================
 RCS file: /net/pommac/scratch/freebsd-cvs/src/sys/netinet/ip_fw.h,v
 retrieving revision 1.76.2.1
 diff -u -r1.76.2.1 ip_fw.h
 --- ip_fw.h	4 Jun 2003 02:19:36 -0000	1.76.2.1
 +++ ip_fw.h	19 Jun 2003 08:17:44 -0000
 @@ -119,6 +119,7 @@
  	O_TEE,			/* arg1=port number		*/
  	O_FORWARD_IP,		/* fwd sockaddr			*/
  	O_FORWARD_MAC,		/* fwd mac			*/
 +	O_IPSEC,		/* has ipsec history		*/
  	O_LAST_OPCODE		/* not an opcode!		*/
  };
  
 Index: ip_fw2.c
 ===================================================================
 RCS file: /net/pommac/scratch/freebsd-cvs/src/sys/netinet/ip_fw2.c,v
 retrieving revision 1.28.2.1
 diff -u -r1.28.2.1 ip_fw2.c
 --- ip_fw2.c	4 Jun 2003 02:19:36 -0000	1.28.2.1
 +++ ip_fw2.c	1 Jul 2003 05:28:44 -0000
 @@ -73,6 +73,10 @@
  #include <netinet/udp.h>
  #include <netinet/udp_var.h>
  
 +#ifdef IPSEC
 +#include <netinet6/ipsec.h>
 +#endif
 +
  #include <netinet/if_ether.h> /* XXX for ETHERTYPE_IP */
  
  #include <machine/in_cksum.h>	/* XXX for in_cksum */
 @@ -1787,6 +1791,18 @@
  				     (TH_RST | TH_ACK | TH_SYN)) != TH_SYN);
  				break;
  
 +                        case O_IPSEC:
 +#ifdef FAST_IPSEC
 +				match = (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL);
 +#else
 +#ifdef IPSEC
 +                                match = (ipsec_gethist(m, NULL) != NULL);
 +#else
 +				match = 0;
 +#endif /* IPSEC */
 +#endif /* FAST_IPSEC */
 +      				break;
 +
  			case O_LOG:
  				if (fw_verbose)
  					ipfw_log(f, hlen, args->eh, m, oif);
 @@ -2378,6 +2394,7 @@
  		case O_TCPFLAGS:
  		case O_TCPOPTS:
  		case O_ESTAB:
 +		case O_IPSEC:
  		case O_VERREVPATH:
  			if (cmdlen != F_INSN_SIZE(ipfw_insn))
  				goto bad_size;

More information about the freebsd-ipfw mailing list