Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 28 Feb 2014 23:36:44 +0100
From:      Nicolas DEFFAYET <nicolas@deffayet.com>
To:        Georgios Amanakis <gamanakis@gmail.com>
Cc:        andre@freebsd.org, melifaro@freebsd.org, =?UTF-8?Q?=D0=90=D0=BB=D0=B5=D0=BA=D1=81=D0=B0=D0=BD=D0=B4=D1=80_?= =?UTF-8?Q?=D0=92=D0=BE=D0=BB=D0=BE=D0=B1=D1=83=D0=B5=D0=B2?= <a.v.volobuev@gmail.com>, freebsd-bugs@freebsd.org, bug-followup@freebsd.org
Subject:   Re: kern/185876: ipfw not matching incoming packets decapsulating ipsec. example l2tp/ipsec
Message-ID:  <1393627004.8727.3.camel@fr-wks3.corp.novso.com>
In-Reply-To: <1393369044.21345.1.camel@fr-wks3.corp.novso.com>
References:  <CACvFP_g4L=pK3ZmZ_kSq=OO%2BaZANA9k--n7Uhi1Tp6ULO0JHdw@mail.gmail.com> <CACvFP_hUOjNJ69MH7Lj5thvPjCtA_81%2Bj-YbJMFqk6VfQbg2LQ@mail.gmail.com> <1393369044.21345.1.camel@fr-wks3.corp.novso.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
The following patch seem to be the only working workaround for IPsec
transport mode and tunnel mode. Please note the use of M_PROTO7 instead
of M_PROTO5 as that is not used in netinet & netinet6. M_PROTO5 is used
for another purpose and so using it may create a conflict like M_PROTO3.

---
Index: netinet/ip_var.h
===================================================================
--- netinet/ip_var.h    (revision 262470)
+++ netinet/ip_var.h    (working copy)
@@ -167,7 +167,7 @@
  */
#define        M_FASTFWD_OURS          M_PROTO1        /* changed dst to
local */
#define        M_IP_NEXTHOP            M_PROTO2        /* explicit ip
nexthop */
-#define        M_SKIP_FIREWALL         M_PROTO3        /* skip firewall
processing,
+#define        M_SKIP_FIREWALL         M_PROTO7        /* skip firewall
processing,
                                                   keep in sync with IP6
*/
#define        M_IP_FRAG               M_PROTO4        /* fragment
reassembly */

Index: netinet6/ip6_var.h
===================================================================
--- netinet6/ip6_var.h  (revision 262470)
+++ netinet6/ip6_var.h  (working copy)
@@ -297,7 +297,7 @@
  * IPv6 protocol layer specific mbuf flags.
  */
#define        M_IP6_NEXTHOP           M_PROTO2        /* explicit ip
nexthop */
-#define        M_SKIP_FIREWALL         M_PROTO3        /* skip firewall
processing,
+#define        M_SKIP_FIREWALL         M_PROTO7        /* skip firewall
processing,
                                                   keep in sync with
IPv4 */

#ifdef __NO_STRICT_ALIGNMENT
---


-- 
Nicolas DEFFAYET

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1393627004.8727.3.camel>