options FAST_IPSEC & tunnels
Sam Leffler
sam at errno.com
Tue Apr 1 11:03:40 PST 2003
> I'm using IPSEC tunnels to join different gateways over the Internet.
>
> I've made some trials with FAST_IPSEC today (I've received a Soekris
> VPN1201) and i'm facing a problem with incoming packets.
>
> The following code snippet from /sys/netinet/ip_input.c permits
> detunneled packets to flow without being filtered by ipf/ipfw :
>
> #if defined(IPSEC) && !defined(IPSEC_FILTERGIF)
> /*
> * Bypass packet filtering for packets from a tunnel (gif).
> */
> if (ipsec_gethist(m, NULL))
> goto pass;
> #endif
>
> Is there any counterpart for FAST_IPSEC (I've dug thru the code, but no
> luck atm) ?
Wow, someone besides me actually using fast ipsec! :)
Packets are tagged once they've been processed on input. I think you can do
a similar check with something like:
if (m_tag_find(PACKET_TAG_IPSEC_IN_DONE) != NULL)
goto pass;
Long term, I intend is to associate packets with an enc device so there's a
way to identify these packets when writing firewall rules.
Sam
More information about the freebsd-net
mailing list