tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: reverse processing order: NAT, IPsec ?
On Thu, 25 Jun 2009, Hubert Feyrer wrote:
Do you have an idea?
OK, a bit step further:
Reverting to the original code with just the patch below makes things work
for me. Apparrently the current code only runs the PFIL_HOOKS once for
incoming IPsec packets, but not a second time after de-encapsulation.
This is what I'm seeing in tcpdump here. Disabling the test if the packet
was already processed gets NAT done properly (and yes, I have FAST_IPSEC
enabled instead of IPSEC).
Does anyone have an idea on the implications here? Why is a second run of
PFIL_HOOKS disabled (only!) for IPsec?
- Hubert
Index: ip_input.c
===================================================================
RCS file: /cvsroot/src/sys/netinet/ip_input.c,v
retrieving revision 1.275.4.1
diff -u -r1.275.4.1 ip_input.c
--- ip_input.c 25 Nov 2008 04:04:38 -0000 1.275.4.1
+++ ip_input.c 25 Jun 2009 15:12:21 -0000
@@ -653,7 +653,7 @@
#ifdef IPSEC
if (!ipsec_getnhist(m))
#elif defined(FAST_IPSEC)
- if (!ipsec_indone(m))
+ if (1 || !ipsec_indone(m))
#else
if (1)
#endif
Home |
Main Index |
Thread Index |
Old Index