On Tue, 1 Apr 2003, Sam Leffler wrote: > Packets are tagged once they've been processed on input. I think you can do > a similar check with something like: > > if (m_tag_find(PACKET_TAG_IPSEC_IN_DONE) != NULL) > goto pass; > > Long term, I intend is to associate packets with an enc device so there's a > way to identify these packets when writing firewall rules. >
If the packets are tagged wouldn't it be better to add an ipfw option instead of changing the interface? Then you could add a rule that both test on correct incoming interface and the fact that ipsec processing was done. For example, ipfw add pass esp from 10.1.1.0/24 to any in via fxp1 ipfw add deny all from any to any in via fxp1 not ipsecdone -- Mikael Hubsch _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
