sys/net/ip6fw/ip6_fw.c: disable esp option
Hiroki Sato
hrs at allbsd.org
Tue Dec 28 13:49:27 PST 2004
Jeffrey Hsu <hsu at xxxxxxxxxxx> wrote
in <41D1C8BA.8050201 at xxxxxxxxxxx>:
hsu> > Here is a patch to disable the ESP option for ip6fw which does
hsu> > not work properly.
hsu>
hsu> What's wrong with it and how hard would it be to fix ipfw6 to
hsu> handle ESP properly instead of disabling it?
Sorry, I wrote the message wrongly. It is actually not disabled and
ip6fw itself can work with ESP packets. The problem is that the
following rule does not work without the patch:
allow esp from any to any
while the following rule works:
allow all from any to any ipv6options esp
Currently the former form is recognized as a rule for protocol 50, but
the kernel does not apply this rule properly, so when IPPROTO_ESP is
found "ip6opt esp" should be examined.
--
| Hiroki SATO
Attachment:
pgp00024.pgp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pgp00024.pgp
Type: application/octet-stream
Size: 187 bytes
Desc: "Description: PGP signature"
URL: <http://lists.dragonflybsd.org/pipermail/submit/attachments/20041228/d33f8bd0/attachment-0019.obj>
More information about the Submit
mailing list