kern/185876: ipfw not matching incoming packets decapsulating ipsec. example l2tp/ipsec

Robert Sevat robert.sevat at live.nl
Tue Mar 11 18:58:45 UTC 2014 

Hey,

First off all, thanks for the patch, should we wait for FreeBSD 10.1, use 10.0/stable or patch it our selves?

Or is this going to be issued as Errata patch for FreeBSD 10.0-Release? (which I think it should be)

Kind Regards,
Robert Sevat


> Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating ipsec. example l2tp/ipsec
> From: nicolas at deffayet.com
> To: gamanakis at gmail.com
> Date: Fri, 28 Feb 2014 23:36:44 +0100
> CC: andre at freebsd.org; melifaro at freebsd.org; a.v.volobuev at gmail.com; freebsd-bugs at freebsd.org; bug-followup at freebsd.org
> 
> The following patch seem to be the only working workaround for IPsec
> transport mode and tunnel mode. Please note the use of M_PROTO7 instead
> of M_PROTO5 as that is not used in netinet & netinet6. M_PROTO5 is used
> for another purpose and so using it may create a conflict like M_PROTO3.
> 
> ---
> Index: netinet/ip_var.h
> ===================================================================
> --- netinet/ip_var.h    (revision 262470)
> +++ netinet/ip_var.h    (working copy)
> @@ -167,7 +167,7 @@
>   */
> #define        M_FASTFWD_OURS          M_PROTO1        /* changed dst to
> local */
> #define        M_IP_NEXTHOP            M_PROTO2        /* explicit ip
> nexthop */
> -#define        M_SKIP_FIREWALL         M_PROTO3        /* skip firewall
> processing,
> +#define        M_SKIP_FIREWALL         M_PROTO7        /* skip firewall
> processing,
>                                                    keep in sync with IP6
> */
> #define        M_IP_FRAG               M_PROTO4        /* fragment
> reassembly */
> 
> Index: netinet6/ip6_var.h
> ===================================================================
> --- netinet6/ip6_var.h  (revision 262470)
> +++ netinet6/ip6_var.h  (working copy)
> @@ -297,7 +297,7 @@
>   * IPv6 protocol layer specific mbuf flags.
>   */
> #define        M_IP6_NEXTHOP           M_PROTO2        /* explicit ip
> nexthop */
> -#define        M_SKIP_FIREWALL         M_PROTO3        /* skip firewall
> processing,
> +#define        M_SKIP_FIREWALL         M_PROTO7        /* skip firewall
> processing,
>                                                    keep in sync with
> IPv4 */
> 
> #ifdef __NO_STRICT_ALIGNMENT
> ---
> 
> 
> -- 
> Nicolas DEFFAYET
> 
> _______________________________________________
> freebsd-bugs at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
> To unsubscribe, send any mail to "freebsd-bugs-unsubscribe at freebsd.org"

More information about the freebsd-bugs mailing list