kern/185876: ipfw not matching incoming packets decapsulating ipsec. example l2tp/ipsec
Nicolas DEFFAYET
nicolas at deffayet.com
Fri Feb 28 22:36:46 UTC 2014
The following patch seem to be the only working workaround for IPsec
transport mode and tunnel mode. Please note the use of M_PROTO7 instead
of M_PROTO5 as that is not used in netinet & netinet6. M_PROTO5 is used
for another purpose and so using it may create a conflict like M_PROTO3.
---
Index: netinet/ip_var.h
===================================================================
--- netinet/ip_var.h (revision 262470)
+++ netinet/ip_var.h (working copy)
@@ -167,7 +167,7 @@
*/
#define M_FASTFWD_OURS M_PROTO1 /* changed dst to
local */
#define M_IP_NEXTHOP M_PROTO2 /* explicit ip
nexthop */
-#define M_SKIP_FIREWALL M_PROTO3 /* skip firewall
processing,
+#define M_SKIP_FIREWALL M_PROTO7 /* skip firewall
processing,
keep in sync with IP6
*/
#define M_IP_FRAG M_PROTO4 /* fragment
reassembly */
Index: netinet6/ip6_var.h
===================================================================
--- netinet6/ip6_var.h (revision 262470)
+++ netinet6/ip6_var.h (working copy)
@@ -297,7 +297,7 @@
* IPv6 protocol layer specific mbuf flags.
*/
#define M_IP6_NEXTHOP M_PROTO2 /* explicit ip
nexthop */
-#define M_SKIP_FIREWALL M_PROTO3 /* skip firewall
processing,
+#define M_SKIP_FIREWALL M_PROTO7 /* skip firewall
processing,
keep in sync with
IPv4 */
#ifdef __NO_STRICT_ALIGNMENT
---
--
Nicolas DEFFAYET
More information about the freebsd-bugs
mailing list