From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 5 03:41:55 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7741B37B40A; Tue, 5 Aug 2003 03:41:55 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id D599B43FCB; Tue, 5 Aug 2003 03:41:54 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h75AfpkN049547; Tue, 5 Aug 2003 03:41:51 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h75AfkUN049546; Tue, 5 Aug 2003 03:41:46 -0700 (PDT) (envelope-from rizzo) Date: Tue, 5 Aug 2003 03:41:45 -0700 From: Luigi Rizzo To: Ari Suutari Message-ID: <20030805034145.B49439@xorpc.icir.org> References: <200307070113.h671DPeG082710@freefall.freebsd.org> <20030706234624.A45394@xorpc.icir.org> <20030710110751.L84774@majakka.cksoft.de> <200308041029.45598.ari.suutari@syncrontech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200308041029.45598.ari.suutari@syncrontech.com>; from ari.suutari@syncrontech.com on Mon, Aug 04, 2003 at 10:29:45AM +0300 cc: Christian Kratzer cc: Christian Kratzer cc: sam@FreeBSD.org cc: freebsd-ipfw@FreeBSD.org Subject: Re: kern/53624: patches for ipfw2 to support ipsec packet filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 10:41:55 -0000 Ari, maybe the problem was with FAST_IPSEC, i seem to remember a related MFC recently... [Sam, this is about the 'ipsec' dummynet option which was reported as not working with RELENG_4...] cheers luigi On Mon, Aug 04, 2003 at 10:29:45AM +0300, Ari Suutari wrote: > Hi, > > On Thursday 10 July 2003 12:12, Christian Kratzer wrote: > > Hi, > > > > We applied the patch to a RELENG_4 system but can't seem to be able to > > catch packets based on them having ipsec history or not. > > > > We have "options IPSEC_FILTERGIF" and "options IPFW2" in our kernel config. > > > > We currently have an ipsec esp tunnel running between two locations without > > any gif tunnels. IPSEC_FILTERGIF seems to be working fine as packets are > > now being filtered by our ipfw ruleset. > > > > We can't match any packets based on the ipsec or not ipsec flags in ipfw2. > > > > I just wanted to ask if somebody knows the obvious before I start digging > > my head in the code. > > I did my quick testing on 5.1-RELEASE system, but I cannot really > understand why the change wouldn't work on RELENG_4 also. > It uses only one call which works on RELENG_4 (otherwise a system > *without* IPSEC_FILTERGIF wouldn't work as expected). > > I have really tested with KAME ipsec. Are you using FAST_IPSEC ? > > Ari S. >