kern/98219: [pf] pf needs a way of matching on decapsulated
IPSEC packets
Dmitry Andrianov
dimas at dataart.com
Fri Jun 2 01:50:38 PDT 2006
Max,
I'm not sure enc0 is the solution.
Honestly, I haven't tried enc0 yet (only took a look at its sources) so
I can be wrong. But to my understanding if you build kernel with
FILTERGIF, then decapsulated packets will still be visible on the same
interface original ESP packets come to (in addition to enc0). If this is
true, there is need to allow them. Meaning there is need to distinguish
decapsulated packets from received.
So basically the question is how enc0 and FILTERGIF coesist together...
If they do not, probably FILTERGIF should be deprecated in favor of
enc0.
Have to check.
-----Original Message-----
From: Max Laier [mailto:mlaier at FreeBSD.org]
Sent: Friday, June 02, 2006 11:53 AM
To: Dmitry Andrianov; mlaier at FreeBSD.org; freebsd-pf at FreeBSD.org
Subject: Re: kern/98219: [pf] pf needs a way of matching on decapsulated
IPSEC packets
Synopsis: [pf] pf needs a way of matching on decapsulated IPSEC packets
State-Changed-From-To: open->analyzed
State-Changed-By: mlaier
State-Changed-When: Fri Jun 2 07:51:47 UTC 2006
State-Changed-Why:
The solution for this is the enc(4) interface from OpenBSD. There are
ongoing porting efforts.
http://www.freebsd.org/cgi/query-pr.cgi?pr=98219
More information about the freebsd-pf
mailing list