From owner-freebsd-current Sat Feb 22 23:13:11 2003 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C4FF37B401 for ; Sat, 22 Feb 2003 23:13:09 -0800 (PST) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id BECE043F93 for ; Sat, 22 Feb 2003 23:13:08 -0800 (PST) (envelope-from sam@errno.com) Received: from melange (melange.errno.com [66.127.85.82]) (authenticated bits=0) by ebb.errno.com (8.12.5/8.12.1) with ESMTP id h1N7D7nN062025 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for ; Sat, 22 Feb 2003 23:13:08 -0800 (PST)?g (envelope-from sam@errno.com)œ X-Authentication-Warning: ebb.errno.com: Host melange.errno.com [66.127.85.82] claimed to be melange Message-ID: <193501c2db0b$04666da0$52557f42@errno.com> From: "Sam Leffler" To: Subject: HEADS UP: ipsec packet filtering change Date: Sat, 22 Feb 2003 23:13:07 -0800 Organization: Errno Consulting MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This may affect your ipfw/ipf rules. If you are happy with the current behaviour then add IPSEC_FILTERGIF to your kernel config file. Sam ----- Original Message ----- From: "Sam Leffler" To: ; ; Sent: Saturday, February 22, 2003 4:47 PM Subject: cvs commit: src/sys/netinet ip_input.c src/sys/conf NOTES options > sam 2003/02/22 16:47:07 PST > > Modified files: > sys/netinet ip_input.c > sys/conf NOTES options > Log: > Add a new config option IPSEC_FILTERGIF to control whether or not > packets coming out of a GIF tunnel are re-processed by ipfw, et. al. > By default they are not reprocessed. With the option they are. > > This reverts 1.214. Prior to that change packets were not re-processed. > After they were which caused problems because packets do not have > distinguishing characteristics (like a special network if) that allows > them to be filtered specially. > > This is really a stopgap measure designed for immediate MFC so that > 4.8 has consistent handling to what was in 4.7. > > PR: 48159 > Reviewed by: Guido van Rooij > MFC after: 1 day > > Revision Changes Path > 1.1129 +11 -0 src/sys/conf/NOTES > http://cvsweb.FreeBSD.org/src/sys/conf/NOTES.diff?r1=1.1128&r2=1.1129 > 1.374 +1 -0 src/sys/conf/options > http://cvsweb.FreeBSD.org/src/sys/conf/options.diff?r1=1.373&r2=1.374 > 1.226 +7 -0 src/sys/netinet/ip_input.c > http://cvsweb.FreeBSD.org/src/sys/netinet/ip_input.c.diff?r1=1.225&r2=1.226 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message