Date: Tue, 12 Sep 2006 11:44:44 +0800 From: Eugene Grosbein <eugen@kuzbass.ru> To: Kelly Yancey <kbyanc@posi.net> Cc: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net>, Eugene Grosbein <eugen@grosbein.pp.ru>, net@freebsd.org Subject: Re: ipsec with ipfw divert (not NAT) encodes a packet twice breaking PMTUD Message-ID: <45062D2C.D5F95D6B@kuzbass.ru> References: <200609111341.k8BDfneZ020221@nkz.delikates-nk.ru> <20060911131513.S27693@gateway.posi.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Kelly Yancey wrote: > Just FYI, when we implemented the enc interface for FreeBSD 4.10 for > one of our products at work, we encountered a similar issue. The > problem is that you need to add a flag to the sockaddr_in passed to the > divert(4) consumer; when that consumer re-injects the packets into the > network stack, ip_output() needs to check for the flag and goto > skip_ipsec to avoid re-encapsulation. The next issue is that > there is no room in the sockaddr_in structure for such a flag. Another problem with divert is described in detail here: http://freebsd.rambler.ru/bsdmail/freebsd-net_2004/msg01736.html In short: divert of a packet removes multicast options that it may have and bad things happen with RIPv2 multicast packets. Eugene
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45062D2C.D5F95D6B>