ipsec: fix logic for IPSEC_CAP_BYPASS_FILTER
AbandonedPublic
Actions

Authored by kib on Jun 27 2023, 3:05 AM.

Tags

None

Referenced Files

	Unknown Object (File)
	Mon, May 13, 1:13 AM

	Unknown Object (File)
	Thu, May 9, 11:01 AM

	Unknown Object (File)
	Thu, May 9, 8:21 AM

	Unknown Object (File)
	Fri, Apr 26, 12:58 AM

	Unknown Object (File)
	Tue, Apr 23, 5:12 AM

	Unknown Object (File)
	Dec 23 2023, 9:08 PM

	Unknown Object (File)
	Dec 20 2023, 5:42 AM

	Unknown Object (File)
	Nov 1 2023, 10:17 AM

Subscribers

Details

Reviewers

Summary

The filter hooks code should be ignored if ip{4,6)_filtertunnel knob is
disabled, OR packet was already processed by IPSEC.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

kib created this revision.Jun 27 2023, 3:05 AM

Herald added subscribers: glebius, melifaro, imp. · View Herald TranscriptJun 27 2023, 3:05 AM

kib requested review of this revision.Jun 27 2023, 3:05 AM

I think previous logic was correct and derived from code before IPsec overhaul.

The idea of this feature is that a received packet, that was previously protected by IPsec could be trusted and thus, there is no need to pass it through the firewall.
But when user sets net.inet.ipsec.fitertunnel=1 variable, even such trusted packets must be checked. Usually this is needed to keep firewall states tracking, some network translation, or just filtering for some addresses that were hidden inside IPsec tunnel before decapsulation.

kib abandoned this revision.Jun 27 2023, 9:05 AM

Revision Contents
Changeset List

Path

Size

sys/

netipsec/

ipsec.c

4 lines

Diff 123798

View Options

ipsec: fix logic for IPSEC_CAP_BYPASS_FILTERAbandonedPublicActions