DragonFly submit List (threaded) for 2004-12
[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]

Re: sys/net/ip6fw/ip6_fw.c: disable esp option

From:	Hiroki Sato <hrs@xxxxxxxxxx>
Date:	Wed, 29 Dec 2004 06:35:47 +0900 (JST)

Jeffrey Hsu <hsu@xxxxxxxxxxx> wrote
  in <41D1C8BA.8050201@xxxxxxxxxxx>:

hsu> >  Here is a patch to disable the ESP option for ip6fw which does
hsu> >  not work properly.
hsu> 
hsu> What's wrong with it and how hard would it be to fix ipfw6 to
hsu> handle ESP properly instead of disabling it?

 Sorry, I wrote the message wrongly.  It is actually not disabled and
 ip6fw itself can work with ESP packets.  The problem is that the
 following rule does not work without the patch:

  allow esp from any to any

 while the following rule works:

  allow all from any to any ipv6options esp

 Currently the former form is recognized as a rule for protocol 50, but
 the kernel does not apply this rule properly, so when IPPROTO_ESP is
 found "ip6opt esp" should be examined.

-- 
| Hiroki SATO

Attachment: pgp00024.pgp
Description: PGP signature

Follow-Ups:
- Re: sys/net/ip6fw/ip6_fw.c: disable esp option
  - From: Jeffrey Hsu

References:
- sys/net/ip6fw/ip6_fw.c: disable esp option
  - From: Hiroki Sato
- Re: sys/net/ip6fw/ip6_fw.c: disable esp option
  - From: Jeffrey Hsu

[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]