options FAST_IPSEC & tunnels
Mikael Hubsch
micke at hubsch.org
Thu Apr 3 00:27:35 PST 2003
On Tue, 1 Apr 2003, Sam Leffler wrote:
> Packets are tagged once they've been processed on input. I think you can do
> a similar check with something like:
>
> if (m_tag_find(PACKET_TAG_IPSEC_IN_DONE) != NULL)
> goto pass;
>
> Long term, I intend is to associate packets with an enc device so there's a
> way to identify these packets when writing firewall rules.
>
If the packets are tagged wouldn't it be better to add an ipfw
option instead of changing the interface? Then you could add a rule
that both test on correct incoming interface and the fact that ipsec
processing was done. For example,
ipfw add pass esp from 10.1.1.0/24 to any in via fxp1
ipfw add deny all from any to any in via fxp1 not ipsecdone
--
Mikael Hubsch
More information about the freebsd-net
mailing list