d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2f591ab8fe
freebsd-dev/sys
History
Guido van Rooij 2f591ab8fe Get rid of checking for ip sec history. It is true that packets are not 
supposed to be checked by the firewall rules twice. However, because the
various ipsec handlers never call ip_input(), this never happens anyway.

This fixes the situation where a gif tunnel is encrypted with IPsec. In
such a case, after IPsec processing, the unencrypted contents from the
GIF tunnel are fed back to the ipintrq and subsequently handeld by
ip_input(). Yet, since there still is IPSec history attached, the
packets coming out from the gif device are never fed into the filtering
code.
This fix was sent to Itojun, and he pointed towartds
    http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction.
This patch actually implements what is stated there (specifically:
Packet came from tunnel devices (gif(4) and ipip(4)) will still
go through ipf(4). You may need to identify these packets by
using interface name directive in ipf.conf(5).

Reviewed by:	rwatson
MFC after:	3 weeks
2002-10-16 09:01:48 +00:00
..
alpha The a.out md_coredump stuff isn't referenced anywhere anymore, and 2002-10-15 00:02:50 +00:00
amd64 Be consistent about functions being static. 2002-10-16 08:57:14 +00:00
arm Add standards visibility conditionals. Change any uses of sigset_t to 2002-10-13 00:31:46 +00:00
boot Compile in support for zipfs and bzipfs so we can load the gzipped mfsroot 2002-10-13 18:52:46 +00:00
cam Trapdoor access to cd%da and cd%c so they still work, but do not let them 2002-10-11 10:35:17 +00:00
coda Back our kernel support for reliable signal queues. 2002-10-01 17:15:53 +00:00
compat - Add support for IPC_64 extensions into shmctl(2), semctl(2) and msgctl(2); 2002-10-11 11:43:09 +00:00
conf Tie new "Fast IPsec" code into the build. This involves the usual 2002-10-16 02:25:05 +00:00
contrib Replace aux mbufs with packet tags: 2002-10-16 01:54:46 +00:00
crypto Don't panic when we can just return an error code. 2002-10-14 11:21:05 +00:00
ddb Round out the facilty for a 'bound' thread to loan out its KSE 2002-10-09 02:33:36 +00:00
dev Be consistent about functions being static. 2002-10-16 08:48:39 +00:00
fs Fix comments and one resulting code confusion about the type of the 2002-10-16 08:04:11 +00:00
geom Return an error if the drive reports heads/sectors that do not make sense. 2002-10-15 21:28:50 +00:00
gnu Regularize the vop_stdlock'ing protocol across all the filesystems 2002-10-14 03:20:36 +00:00
i4b Be consistent about marking functions static. 2002-10-15 20:32:45 +00:00
i386 Be consistent about functions being static. 2002-10-16 08:57:14 +00:00
ia64 Fix kernel module loading on ia64. Cross-module function calls 2002-10-15 05:40:07 +00:00
isa - Use __BUS_ACCESSOR() to define the ISA ivar accessor functions instead of 2002-10-15 00:02:51 +00:00
isofs/cd9660 Fix comments and one resulting code confusion about the type of the 2002-10-16 08:04:11 +00:00
kern Replace aux mbufs with packet tags: 2002-10-16 01:54:46 +00:00
libkern Slight overhaul of arc4random() and friends. 2002-10-11 13:13:08 +00:00
modules - Remove unused opt_foo.h headers. 2002-10-14 19:18:30 +00:00
net FIx misindentation. 2002-10-16 09:00:53 +00:00
netatalk Add more ethernet types and move AppleTalk types into proper location. 2002-09-06 17:02:29 +00:00
netatm Add a field to struct cmn_unit to hold a pointer to the driver's softc. 2002-10-01 22:04:31 +00:00
netgraph use __packed. 2002-09-23 18:54:32 +00:00
netinet Get rid of checking for ip sec history. It is true that packets are not 2002-10-16 09:01:48 +00:00
netinet6 Tie new "Fast IPsec" code into the build. This involves the usual 2002-10-16 02:25:05 +00:00
netipsec "Fast IPsec": this is an experimental IPsec implementation that is derived 2002-10-16 02:10:08 +00:00
netipx Replace aux mbufs with packet tags: 2002-10-16 01:54:46 +00:00
netkey - fixed the order of searching SA table for packets. 2002-07-10 16:39:38 +00:00
netnatm
netncp Change iov_base's type from char *' to the standard void *'. All 2002-10-11 14:58:34 +00:00
netns Use m_length() instead of home-rolled versions. 2002-09-18 19:44:14 +00:00
netsmb Some kernel threads try to do significant work, and the default KSTACK_PAGES 2002-10-02 07:44:29 +00:00
nfs Change iov_base's type from char *' to the standard void *'. All 2002-10-11 14:58:34 +00:00
nfsclient Regularize the vop_stdlock'ing protocol across all the filesystems 2002-10-14 03:20:36 +00:00
nfsserver Correct a problem wherein NFS servers running NFSv2 would not return 2002-10-03 21:50:37 +00:00
opencrypto Change iov_base's type from char *' to the standard void *'. All 2002-10-11 14:58:34 +00:00
pc98 MFi386: revision 1.9. 2002-10-14 12:07:39 +00:00
pccard MFp4: Comment about not assuming INTA# for 6729 2002-10-07 07:02:48 +00:00
pci Rename struct softc to struct mn_softc. 2002-10-16 08:41:38 +00:00
posix4 Tidy up the scheduler's code for changing the priority of a thread. 2002-10-14 20:34:31 +00:00
powerpc The a.out md_coredump stuff isn't referenced anywhere anymore, and 2002-10-15 00:02:50 +00:00
rpc
security Regularize the vop_stdlock'ing protocol across all the filesystems 2002-10-14 03:20:36 +00:00
sparc64 The a.out md_coredump stuff isn't referenced anywhere anymore, and 2002-10-15 00:02:50 +00:00
sys Replace aux mbufs with packet tags: 2002-10-16 01:54:46 +00:00
tools - Move ASSERT_VOP_*LOCK* functionality into functions in vfs_subr.c 2002-09-26 04:48:44 +00:00
ufs Change locking so that all snapshots on a particular filesystem share 2002-10-16 00:19:23 +00:00
vm Remove old useless debugging code 2002-10-14 20:31:54 +00:00
Makefile