sys/net/ip6fw/ip6_fw.c: disable esp option

Hiroki Sato hrs at allbsd.org
Tue Dec 28 13:49:27 PST 2004


Jeffrey Hsu <hsu at xxxxxxxxxxx> wrote
  in <41D1C8BA.8050201 at xxxxxxxxxxx>:

hsu> >  Here is a patch to disable the ESP option for ip6fw which does
hsu> >  not work properly.
hsu> 
hsu> What's wrong with it and how hard would it be to fix ipfw6 to
hsu> handle ESP properly instead of disabling it?

 Sorry, I wrote the message wrongly.  It is actually not disabled and
 ip6fw itself can work with ESP packets.  The problem is that the
 following rule does not work without the patch:

  allow esp from any to any

 while the following rule works:

  allow all from any to any ipv6options esp

 Currently the former form is recognized as a rule for protocol 50, but
 the kernel does not apply this rule properly, so when IPPROTO_ESP is
 found "ip6opt esp" should be examined.

-- 
| Hiroki SATO
Attachment:
pgp00024.pgp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pgp00024.pgp
Type: application/octet-stream
Size: 187 bytes
Desc: "Description: PGP signature"
URL: <http://lists.dragonflybsd.org/pipermail/submit/attachments/20041228/d33f8bd0/attachment-0017.obj>


More information about the Submit mailing list