----Security_Multipart(Wed_Dec_29_06_35_47_2004_977)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Jeffrey Hsu <hsu@freebsd.org> wrote in <41D1C8BA.8050201@freebsd.org>: hsu> > Here is a patch to disable the ESP option for ip6fw which does hsu> > not work properly. hsu> hsu> What's wrong with it and how hard would it be to fix ipfw6 to hsu> handle ESP properly instead of disabling it? Sorry, I wrote the message wrongly. It is actually not disabled and ip6fw itself can work with ESP packets. The problem is that the following rule does not work without the patch: allow esp from any to any while the following rule works: allow all from any to any ipv6options esp Currently the former form is recognized as a rule for protocol 50, but the kernel does not apply this rule properly, so when IPPROTO_ESP is found "ip6opt esp" should be examined. -- | Hiroki SATO ----Security_Multipart(Wed_Dec_29_06_35_47_2004_977)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBB0dGzTyzT2CeTzy0RAge/AJ4/JKYVVwVBUDfFgMvKSffC6wNzRgCeO8aa TLg99tOChePb9eCPBUyv6x4= =/7ZS -----END PGP SIGNATURE----- ----Security_Multipart(Wed_Dec_29_06_35_47_2004_977)----