Date: Mon, 30 Jun 2003 22:40:18 -0700 (PDT) From: Ari Suutari <ari.suutari@syncrontech.com> To: freebsd-ipfw@FreeBSD.org Subject: Re: kern/53624: patches for ipfw2 to support ipsec packet filtering Message-ID: <200307010540.h615eIYv053036@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/53624; it has been noted by GNATS. From: Ari Suutari <ari.suutari@syncrontech.com> To: freebsd-gnats-submit@FreeBSD.org, ari.suutari@syncrontech.com Cc: Subject: Re: kern/53624: patches for ipfw2 to support ipsec packet filtering Date: Tue, 1 Jul 2003 08:33:41 +0300 Here is a new patch for /sys/netinet/ip_fw2.c, which adds support for FAST_IPSEC also (untested, but I believe that it should work due to change being simple). Index: ip_fw.h =================================================================== RCS file: /net/pommac/scratch/freebsd-cvs/src/sys/netinet/ip_fw.h,v retrieving revision 1.76.2.1 diff -u -r1.76.2.1 ip_fw.h --- ip_fw.h 4 Jun 2003 02:19:36 -0000 1.76.2.1 +++ ip_fw.h 19 Jun 2003 08:17:44 -0000 @@ -119,6 +119,7 @@ O_TEE, /* arg1=port number */ O_FORWARD_IP, /* fwd sockaddr */ O_FORWARD_MAC, /* fwd mac */ + O_IPSEC, /* has ipsec history */ O_LAST_OPCODE /* not an opcode! */ }; Index: ip_fw2.c =================================================================== RCS file: /net/pommac/scratch/freebsd-cvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.28.2.1 diff -u -r1.28.2.1 ip_fw2.c --- ip_fw2.c 4 Jun 2003 02:19:36 -0000 1.28.2.1 +++ ip_fw2.c 1 Jul 2003 05:28:44 -0000 @@ -73,6 +73,10 @@ #include <netinet/udp.h> #include <netinet/udp_var.h> +#ifdef IPSEC +#include <netinet6/ipsec.h> +#endif + #include <netinet/if_ether.h> /* XXX for ETHERTYPE_IP */ #include <machine/in_cksum.h> /* XXX for in_cksum */ @@ -1787,6 +1791,18 @@ (TH_RST | TH_ACK | TH_SYN)) != TH_SYN); break; + case O_IPSEC: +#ifdef FAST_IPSEC + match = (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL); +#else +#ifdef IPSEC + match = (ipsec_gethist(m, NULL) != NULL); +#else + match = 0; +#endif /* IPSEC */ +#endif /* FAST_IPSEC */ + break; + case O_LOG: if (fw_verbose) ipfw_log(f, hlen, args->eh, m, oif); @@ -2378,6 +2394,7 @@ case O_TCPFLAGS: case O_TCPOPTS: case O_ESTAB: + case O_IPSEC: case O_VERREVPATH: if (cmdlen != F_INSN_SIZE(ipfw_insn)) goto bad_size;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200307010540.h615eIYv053036>