kern/53624: patches for ipfw2 to support ipsec packet filtering
Ari Suutari
ari.suutari at syncrontech.com
Mon Jun 30 22:40:19 PDT 2003
The following reply was made to PR kern/53624; it has been noted by GNATS.
From: Ari Suutari <ari.suutari at syncrontech.com>
To: freebsd-gnats-submit at FreeBSD.org, ari.suutari at syncrontech.com
Cc:
Subject: Re: kern/53624: patches for ipfw2 to support ipsec packet filtering
Date: Tue, 1 Jul 2003 08:33:41 +0300
Here is a new patch for /sys/netinet/ip_fw2.c, which
adds support for FAST_IPSEC also (untested, but I believe that
it should work due to change being simple).
Index: ip_fw.h
===================================================================
RCS file: /net/pommac/scratch/freebsd-cvs/src/sys/netinet/ip_fw.h,v
retrieving revision 1.76.2.1
diff -u -r1.76.2.1 ip_fw.h
--- ip_fw.h 4 Jun 2003 02:19:36 -0000 1.76.2.1
+++ ip_fw.h 19 Jun 2003 08:17:44 -0000
@@ -119,6 +119,7 @@
O_TEE, /* arg1=port number */
O_FORWARD_IP, /* fwd sockaddr */
O_FORWARD_MAC, /* fwd mac */
+ O_IPSEC, /* has ipsec history */
O_LAST_OPCODE /* not an opcode! */
};
Index: ip_fw2.c
===================================================================
RCS file: /net/pommac/scratch/freebsd-cvs/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.28.2.1
diff -u -r1.28.2.1 ip_fw2.c
--- ip_fw2.c 4 Jun 2003 02:19:36 -0000 1.28.2.1
+++ ip_fw2.c 1 Jul 2003 05:28:44 -0000
@@ -73,6 +73,10 @@
#include <netinet/udp.h>
#include <netinet/udp_var.h>
+#ifdef IPSEC
+#include <netinet6/ipsec.h>
+#endif
+
#include <netinet/if_ether.h> /* XXX for ETHERTYPE_IP */
#include <machine/in_cksum.h> /* XXX for in_cksum */
@@ -1787,6 +1791,18 @@
(TH_RST | TH_ACK | TH_SYN)) != TH_SYN);
break;
+ case O_IPSEC:
+#ifdef FAST_IPSEC
+ match = (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL);
+#else
+#ifdef IPSEC
+ match = (ipsec_gethist(m, NULL) != NULL);
+#else
+ match = 0;
+#endif /* IPSEC */
+#endif /* FAST_IPSEC */
+ break;
+
case O_LOG:
if (fw_verbose)
ipfw_log(f, hlen, args->eh, m, oif);
@@ -2378,6 +2394,7 @@
case O_TCPFLAGS:
case O_TCPOPTS:
case O_ESTAB:
+ case O_IPSEC:
case O_VERREVPATH:
if (cmdlen != F_INSN_SIZE(ipfw_insn))
goto bad_size;
More information about the freebsd-ipfw
mailing list