Date: Thu, 09 Dec 2004 14:46:17 +0100 From: Andre Oppermann <andre@freebsd.org> To: Jeremie Le Hen <jeremie@le-hen.org> Cc: freebsd-net@freebsd.org Subject: Re: (review request) ipfw and ipsec processing order for outgoingpackets Message-ID: <41B85729.40F00890@freebsd.org> References: <20041129100949.GA19560@bps.jodocus.org> <41AAF696.6ED81FBF@freebsd.org> <20041129103031.GA19828@bps.jodocus.org> <41AB3A74.8C05601D@freebsd.org> <20041129174954.GA26532@bps.jodocus.org> <41AB65B2.A18534BF@freebsd.org> <20041206134315.GF79919@obiwan.tataz.chchile.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Jeremie Le Hen wrote: > > > > > > I have some stuff wrt [Fast]IPSEC and your problem in the works and > > > > > it should become ready around christmas time (loadable [Fast]IPSEC, at > > > > > least for IPv4). > > > > > > > > While this way of 'fixing' the IPSEC problem works it is rather gross > > > > and not very stylish. I prefer not to have this in the tree as makes > > > > maintainance a lot harder. > > > > > > I totaly agree that it is not pretty. I was trying to avoid duplicating > > > the code (so every change would have to be made twice) and making it a > > > function didn't sit right for some reason. Hints/tips for dealing with > > > this kind of situation are welcome, but maybe better off-list. > > > > As things currently are with IPSEC code weaved directly into ip_input() > > and ip_output() there is no better way than what you have proposed. > > > > It will solve it much more nicely. :) > > If I understand correctly, either Joost's patch or your nice changes > that-should-appear-before-christmas will achieve what the OpenBSD enc(4) > interface provides [1]. It would be really wonderful. But I may be > missing something because I can see no way in firewall rules to > distinguish between the before IPSec processing hook and the after IPSec > processing one. Could you clarify this for me please ? With the changes you can chose whether you want to do firewallig before ipsec processing or after but not both. The enc(4) pseudo device looks interesting but I haven't looked at the code. Maybe that makes things easier. I'll look into it. -- Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41B85729.40F00890>