ipsec with ipfw divert (not NAT) encodes a packet twice
breaking PMTUD
Eugene Grosbein
eugen at kuzbass.ru
Mon Sep 11 20:44:50 PDT 2006
Kelly Yancey wrote:
> Just FYI, when we implemented the enc interface for FreeBSD 4.10 for
> one of our products at work, we encountered a similar issue. The
> problem is that you need to add a flag to the sockaddr_in passed to the
> divert(4) consumer; when that consumer re-injects the packets into the
> network stack, ip_output() needs to check for the flag and goto
> skip_ipsec to avoid re-encapsulation. The next issue is that
> there is no room in the sockaddr_in structure for such a flag.
Another problem with divert is described in detail here:
http://freebsd.rambler.ru/bsdmail/freebsd-net_2004/msg01736.html
In short: divert of a packet removes multicast options that it may have
and bad things happen with RIPv2 multicast packets.
Eugene
More information about the freebsd-net
mailing list