Date: Thu, 3 Apr 2003 10:27:31 +0200 (CEST) From: Mikael Hubsch <micke@hubsch.org> To: freebsd-net@freebsd.org Subject: Re: options FAST_IPSEC & tunnels Message-ID: <20030403101114.H13386-100000@snaps.home> In-Reply-To: <05b901c2f881$67e907f0$52557f42@errno.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 1 Apr 2003, Sam Leffler wrote: > Packets are tagged once they've been processed on input. I think you can do > a similar check with something like: > > if (m_tag_find(PACKET_TAG_IPSEC_IN_DONE) != NULL) > goto pass; > > Long term, I intend is to associate packets with an enc device so there's a > way to identify these packets when writing firewall rules. > If the packets are tagged wouldn't it be better to add an ipfw option instead of changing the interface? Then you could add a rule that both test on correct incoming interface and the fact that ipsec processing was done. For example, ipfw add pass esp from 10.1.1.0/24 to any in via fxp1 ipfw add deny all from any to any in via fxp1 not ipsecdone -- Mikael Hubsch
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030403101114.H13386-100000>