Date: Sat, 22 Feb 2003 23:13:07 -0800 From: "Sam Leffler" <sam@errno.com> To: <current@freebsd.org> Subject: HEADS UP: ipsec packet filtering change Message-ID: <193501c2db0b$04666da0$52557f42@errno.com>
next in thread | raw e-mail | index | archive | help
This may affect your ipfw/ipf rules. If you are happy with the current
behaviour then add IPSEC_FILTERGIF to your kernel config file.
Sam
----- Original Message -----
From: "Sam Leffler" <sam@FreeBSD.org>
To: <src-committers@FreeBSD.org>; <cvs-src@FreeBSD.org>;
<cvs-all@FreeBSD.org>
Sent: Saturday, February 22, 2003 4:47 PM
Subject: cvs commit: src/sys/netinet ip_input.c src/sys/conf NOTES options
> sam 2003/02/22 16:47:07 PST
>
> Modified files:
> sys/netinet ip_input.c
> sys/conf NOTES options
> Log:
> Add a new config option IPSEC_FILTERGIF to control whether or not
> packets coming out of a GIF tunnel are re-processed by ipfw, et. al.
> By default they are not reprocessed. With the option they are.
>
> This reverts 1.214. Prior to that change packets were not re-processed.
> After they were which caused problems because packets do not have
> distinguishing characteristics (like a special network if) that allows
> them to be filtered specially.
>
> This is really a stopgap measure designed for immediate MFC so that
> 4.8 has consistent handling to what was in 4.7.
>
> PR: 48159
> Reviewed by: Guido van Rooij <guido@gvr.org>
> MFC after: 1 day
>
> Revision Changes Path
> 1.1129 +11 -0 src/sys/conf/NOTES
> http://cvsweb.FreeBSD.org/src/sys/conf/NOTES.diff?r1=1.1128&r2=1.1129
> 1.374 +1 -0 src/sys/conf/options
> http://cvsweb.FreeBSD.org/src/sys/conf/options.diff?r1=1.373&r2=1.374
> 1.226 +7 -0 src/sys/netinet/ip_input.c
>
http://cvsweb.FreeBSD.org/src/sys/netinet/ip_input.c.diff?r1=1.225&r2=1.226
>
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?193501c2db0b$04666da0$52557f42>