On Fri, 26 Jun 2009, Edgar Fuß wrote:
Or do you have those anti-spoofing rules in your packet filter (PF/IPfilter) config?Yes, but I don't understand what you mean by "or".
I was under the impression that you were referring to some in-kernel code that filters certain packets, instead of your own filter rules. Hence the "or".
Also, if you don't run the PFIL_HOOKS on the decapsulated package, how do you prevent someone from sending "internal" packets via IPSEC - plain trust?Yes. I trust the IPsec peer (because it's run by me).Not that I'm against running de-encapsulated trough the filter again (to the contrary, I would like that idea). Only, those packets must be distinguishable from packets arriving in the clear.
Yes. FWIW, our two IPsec implementations behave different in that regard, see the two functions that my last patch disabled: One checks if there's a tag that indicates an ESP header, the other indicates whether a packet was processed by IPsec or not. I think the latter would be what we'd need here, and then an interface would be needed for IPfilter / PF to refer to that flag.
The bad news is that I don't have the time to work on that, and that I'll just life with my patch for now. Sorry! :)
- Hubert