Date: Mon, 4 Aug 2003 10:29:45 +0300 From: Ari Suutari <ari.suutari@syncrontech.com> To: Christian Kratzer <ck@cksoft.de>, Christian Kratzer <ck-lists@cksoft.de>, Luigi Rizzo <luigi@FreeBSD.org> Cc: freebsd-ipfw@FreeBSD.org Subject: Re: kern/53624: patches for ipfw2 to support ipsec packet filtering Message-ID: <200308041029.45598.ari.suutari@syncrontech.com> In-Reply-To: <20030710110751.L84774@majakka.cksoft.de> References: <200307070113.h671DPeG082710@freefall.freebsd.org> <20030706234624.A45394@xorpc.icir.org> <20030710110751.L84774@majakka.cksoft.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Thursday 10 July 2003 12:12, Christian Kratzer wrote: > Hi, > > We applied the patch to a RELENG_4 system but can't seem to be able to > catch packets based on them having ipsec history or not. > > We have "options IPSEC_FILTERGIF" and "options IPFW2" in our kernel config. > > We currently have an ipsec esp tunnel running between two locations without > any gif tunnels. IPSEC_FILTERGIF seems to be working fine as packets are > now being filtered by our ipfw ruleset. > > We can't match any packets based on the ipsec or not ipsec flags in ipfw2. > > I just wanted to ask if somebody knows the obvious before I start digging > my head in the code. I did my quick testing on 5.1-RELEASE system, but I cannot really understand why the change wouldn't work on RELENG_4 also. It uses only one call which works on RELENG_4 (otherwise a system *without* IPSEC_FILTERGIF wouldn't work as expected). I have really tested with KAME ipsec. Are you using FAST_IPSEC ? Ari S.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200308041029.45598.ari.suutari>