Jelenleg nincs támogatás a FreeBSD-s ipfw2-ben arra, hogy olyan szabályokat hozzunk létre, amelyek egyeznek azokkal a csomagokkal, amelyek IPsec kapcsolaton keresztül érkeznek. Erre viszont szükség lenne akkor, ha IPsec környezetben szeretnénk tűzfalat építeni. Ez a patch, amely a /sys/netinet/ip_fw2.c filehoz készült FAST_IPSEC támogatást ad az ipfw2-höz.
Subject: Re: kern/53624: patches for ipfw2 to support ipsec packet filtering
From: Ari Suutari
Date: 2003-07-01 5:40:18
The following reply was made to PR kern/53624; it has been noted by GNATS.
From: Ari Suutari
To: freebsd-gnats-submit@FreeBSD.org, ari.suutari@syncrontech.com
Cc:
Subject: Re: kern/53624: patches for ipfw2 to support ipsec packet filtering
Date: Tue, 1 Jul 2003 08:33:41 +0300
Here is a new patch for /sys/netinet/ip_fw2.c, which
adds support for FAST_IPSEC also (untested, but I believe that
it should work due to change being simple).
Index: ip_fw.h
==================================================
=================
RCS file: /net/pommac/scratch/freebsd-cvs/src/sys/netinet/ip_fw.h,v
retrieving revision 1.76.2.1
diff -u -r1.76.2.1 ip_fw.h
--- ip_fw.h 4 Jun 2003 02:19:36 -0000 1.76.2.1
+++ ip_fw.h 19 Jun 2003 08:17:44 -0000
@@ -119,6 +119,7 @@
O_TEE, /* arg1=port number */
O_FORWARD_IP, /* fwd sockaddr */
O_FORWARD_MAC, /* fwd mac */
+ O_IPSEC, /* has ipsec history */
O_LAST_OPCODE /* not an opcode! */
};
Index: ip_fw2.c
==================================================
=================
RCS file: /net/pommac/scratch/freebsd-cvs/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.28.2.1
diff -u -r1.28.2.1 ip_fw2.c
--- ip_fw2.c 4 Jun 2003 02:19:36 -0000 1.28.2.1
+++ ip_fw2.c 1 Jul 2003 05:28:44 -0000
@@ -73,6 +73,10 @@
#include
#include
+#ifdef IPSEC
+#include
+#endif
+
#include /* XXX for ETHERTYPE_IP */
#include /* XXX for in_cksum */
@@ -1787,6 +1791,18 @@
(TH_RST | TH_ACK | TH_SYN)) != TH_SYN);
break;
+ case O_IPSEC:
+#ifdef FAST_IPSEC
+ match = (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL);
+#else
+#ifdef IPSEC
+ match = (ipsec_gethist(m, NULL) != NULL);
+#else
+ match = 0;
+#endif /* IPSEC */
+#endif /* FAST_IPSEC */
+ break;
+
case O_LOG:
if (fw_verbose)
ipfw_log(f, hlen, args->eh, m, oif);
@@ -2378,6 +2394,7 @@
case O_TCPFLAGS:
case O_TCPOPTS:
case O_ESTAB:
+ case O_IPSEC:
case O_VERREVPATH:
if (cmdlen != F_INSN_SIZE(ipfw_insn))
goto bad_size;