From 14dd6717f83e21e66a1a1f07219216bf84c882fe Mon Sep 17 00:00:00 2001 From: Sam Leffler Date: Sun, 23 Feb 2003 00:47:06 +0000 Subject: [PATCH] Add a new config option IPSEC_FILTERGIF to control whether or not packets coming out of a GIF tunnel are re-processed by ipfw, et. al. By default they are not reprocessed. With the option they are. This reverts 1.214. Prior to that change packets were not re-processed. After they were which caused problems because packets do not have distinguishing characteristics (like a special network if) that allows them to be filtered specially. This is really a stopgap measure designed for immediate MFC so that 4.8 has consistent handling to what was in 4.7. PR: 48159 Reviewed by: Guido van Rooij MFC after: 1 day --- sys/conf/NOTES | 11 +++++++++++ sys/conf/options | 1 + sys/netinet/ip_input.c | 7 +++++++ 3 files changed, 19 insertions(+) diff --git a/sys/conf/NOTES b/sys/conf/NOTES index cc511e45827..f03279a8396 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -364,6 +364,17 @@ options INET6 #IPv6 communications protocols options IPSEC #IP security options IPSEC_ESP #IP security (crypto; define w/ IPSEC) options IPSEC_DEBUG #debug for IP security +# +# Set IPSEC_FILTERGIF to force packets coming through a gif tunnel +# to be processed by any configured packet filtering (ipfw, ipf). +# The default is that packets coming from a tunnel are _not_ processed; +# they are assumed trusted. +# +# Note that enabling this can be problematic as there are no mechanisms +# in place for distinguishing packets coming out of a tunnel (e.g. no +# encX devices as found on openbsd). +# +#options IPSEC_FILTERGIF #filter ipsec packets from a tunnel #options FAST_IPSEC #new IPsec (cannot define w/ IPSEC) diff --git a/sys/conf/options b/sys/conf/options index 4ec220d282f..7a16efc1b76 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -327,6 +327,7 @@ INET6 opt_inet6.h IPSEC opt_ipsec.h IPSEC_ESP opt_ipsec.h IPSEC_DEBUG opt_ipsec.h +IPSEC_FILTERGIF opt_ipsec.h FAST_IPSEC opt_ipsec.h IPDIVERT DUMMYNET opt_ipdn.h diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 04aa1c37f37..7e1ed1fcd4f 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -427,6 +427,13 @@ tooshort: } else m_adj(m, ip->ip_len - m->m_pkthdr.len); } +#if defined(IPSEC) && !defined(IPSEC_FILTERGIF) + /* + * Bypass packet filtering for packets from a tunnel (gif). + */ + if (ipsec_gethist(m, NULL)) + goto pass; +#endif /* * IpHack's section.