patches for ipsec packet filtering support in ipfw2

Thu Jun 19 11:30:05 PDT 2003

Hi,

> * Ari Suutari:
> 
> > Here are two small patches (done on 5.1-RELEASE, but should be ok
> > for -current also) which add new "ipsec" flag to ipfw2.
> 
> i did not receive any attachments.  will this functionality be
> included into freebsd-5 in the future?

    Does the mailing list strip attachments ?
    Here they are one for /sys/netinet and other for /usr/src/sbin/ipfw:

This is for /sys/netinet:


Index: ip_fw.h
===================================================================
RCS file: /net/pommac/scratch/freebsd-cvs/src/sys/netinet/ip_fw.h,v
retrieving revision 1.76.2.1
diff -u -r1.76.2.1 ip_fw.h

--- ip_fw.h 4 Jun 2003 02:19:36 -0000 1.76.2.1
+++ ip_fw.h 19 Jun 2003 08:17:44 -0000
@@ -119,6 +119,7 @@
  O_TEE,   /* arg1=port number  */
  O_FORWARD_IP,  /* fwd sockaddr   */
  O_FORWARD_MAC,  /* fwd mac   */
+ O_IPSEC,  /* has ipsec history  */
  O_LAST_OPCODE  /* not an opcode!  */
 };
 
Index: ip_fw2.c
===================================================================
RCS file: /net/pommac/scratch/freebsd-cvs/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.28.2.1
diff -u -r1.28.2.1 ip_fw2.c
--- ip_fw2.c 4 Jun 2003 02:19:36 -0000 1.28.2.1
+++ ip_fw2.c 19 Jun 2003 18:24:40 -0000
@@ -1787,6 +1787,14 @@
          (TH_RST | TH_ACK | TH_SYN)) != TH_SYN);
     break;
 
+                        case O_IPSEC:
+#ifdef IPSEC
+                                match = (ipsec_gethist(m, NULL) != NULL);
+#else
+    match = 0;
+#endif
+          break;
+
    case O_LOG:
     if (fw_verbose)
      ipfw_log(f, hlen, args->eh, m, oif);
@@ -2378,6 +2386,7 @@
   case O_TCPFLAGS:
   case O_TCPOPTS:
   case O_ESTAB:
+  case O_IPSEC:
   case O_VERREVPATH:
    if (cmdlen != F_INSN_SIZE(ipfw_insn))
     goto bad_size;



---------------

This is for /usr/src/sbin/ipfw:

Index: ipfw.8
===================================================================
RCS file: /net/pommac/scratch/freebsd-cvs/src/sbin/ipfw/ipfw.8,v
retrieving revision 1.122
diff -u -r1.122 ipfw.8
--- ipfw.8 15 Mar 2003 01:13:00 -0000 1.122
+++ ipfw.8 19 Jun 2003 10:21:30 -0000
@@ -835,6 +835,8 @@
 specified as argument.
 .It Cm established
 Matches TCP packets that have the RST or ACK bits set.
+.It Cm ipsec
+Matches IP packets that have originated from IPsec stack.
 .It Cm frag
 Matches packets that are fragments and not the first
 fragment of an IP datagram. Note that these packets will not have
Index: ipfw2.c
===================================================================
RCS file: /net/pommac/scratch/freebsd-cvs/src/sbin/ipfw/ipfw2.c,v
retrieving revision 1.23.2.1
diff -u -r1.23.2.1 ipfw2.c
--- ipfw2.c 4 Jun 2003 02:19:36 -0000 1.23.2.1
+++ ipfw2.c 19 Jun 2003 08:25:33 -0000
@@ -242,6 +242,7 @@
  TOK_DROPTAIL,
  TOK_PROTO,
  TOK_WEIGHT,
+ TOK_IPSEC,
 };
 
 struct _s_x dummynet_params[] = {
@@ -335,6 +336,7 @@
  { "mac",  TOK_MAC },
  { "mac-type",  TOK_MACTYPE },
  { "verrevpath",  TOK_VERREVPATH },
+ { "ipsec",  TOK_IPSEC },
 
  { "not",  TOK_NOT },  /* pseudo option */
  { "!", /* escape ? */ TOK_NOT },  /* pseudo option */
@@ -1131,6 +1133,10 @@
     printf(" established");
     break;
 
+   case O_IPSEC:
+    printf(" ipsec");
+    break;
+
    case O_TCPFLAGS:
     print_flags("tcpflags", cmd, f_tcpflags);
     break;
@@ -3050,6 +3056,10 @@
 
   case TOK_ESTAB:
    fill_cmd(cmd, O_ESTAB, 0, 0);
+   break;
+
+  case TOK_IPSEC:
+   fill_cmd(cmd, O_IPSEC, 0, 0);
    break;
 
   case TOK_SETUP:

--


    Ari S.


