Date: Tue, 19 Nov 2002 14:08:54 -0500 From: Scott Ullrich <sullrich@CRE8.COM> To: 'Guido van Rooij' <guido@gvr.org>, David Kelly <dkelly@hiwaay.net> Cc: Scott Ullrich <sullrich@CRE8.COM>, 'Archie Cobbs' <archie@dellroad.org>, "'greg.panula@dolaninformation.com'" <greg.panula@dolaninformation.com>, FreeBSD-stable@FreeBSD.ORG Subject: RE: IPsec packets seen on wrong interface by ipfw (was Re: IPsec/ gif VPN tunnel packets on wrong NIC in ipfw?) Message-ID: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C57@exchange.corp.cre8.com>
next in thread | raw e-mail | index | archive | help
Guido, I am using a tunneling device (gif0). How are we supposed to fix the issue with your patch installed? If we need to add more rules, that's fine but what would these rules be? Are they before the divert? After the divert, etc? Is there a bug in ipfw? Either way, these changes should be noted in UPDATING since there are most likely a lot more people out there using gif tunnels. Thanks, Scott PS: I tried allowing the gif device rules (before and after the divert), allowing the internal addresses (before and after the divert rules) to no avail with your patch installed. -----Original Message----- From: Guido van Rooij [mailto:guido@gvr.org] Sent: Tuesday, November 19, 2002 1:56 PM To: David Kelly Cc: Scott Ullrich; 'Archie Cobbs'; 'greg.panula@dolaninformation.com'; FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec packets seen on wrong interface by ipfw (was Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw?) On Tue, Nov 19, 2002 at 10:11:29AM -0600, David Kelly wrote: > > Once the ipsec history is removed from the packet then how/what/where > is the packet tagged as having come from? In my case it appears to > have It is tagged as any other packet. > retained properties of the ESP packet it was encased within. Don't > really know as I don't have multiple interfaces with ESP packets. The > system is in production so I can't casually swap interfaces to verify. > > At some point since early October when this system was previously > updated these IPsec packets started appearing on the wrong interface > in ipfw. Currently only one end of my link is updated, the other end > is running with the same configuration it has used for the past 9 > months. With configured (but apparently unused) gif and everything. What do you mean with wrong interface? What I did was remove the ipsec history check in ip_input(). What happens in you case is that ip packet come in, are fed into ipfw, then they are decrypted in esp_input() and then fed into the ip subprotocol directly from esp_input(). The code I removed only appears in the first call to ip_input(), but the code would not have any effect in that case. The only way that this removal could have an effect is when esp_input() called xxx_input() which in turn calls ip_input() again. Since you are not using a tunneling device, this does not happen. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2F6DCE1EFAB3BC418B5C324F13934C9601D23C57>