Re: reverse processing order: NAT, IPsec ?

[Hubert Feyrer <hubert%feyrer.de@localhost>]

Hi David,

On Fri, 12 Jun 2009, David Young wrote:
> <soapbox>
> These difficulties sound like a symptom of the design flaw in NetBSD's
> IPsec that we should not repeat: hard-coding hooks in the IP input
> and output routines.  A design that re-used existing abstractions
> to provide building blocks to the operator---for example, an IPsec
> pseudo-interface where the IPsec processing occurs---would be more
> versatile and transparent, and it would spare us some complexity in the
> IP code.
>
> You could attach to an IPsec pseudo-interface both a BPF tap, packet
> filters and translators.  It seems that a second attachment point for
> packet filters is what you need here.
> </soapbox>

Indeed... but we don't have that, and I only start digging into the kernel 
in that area. What I currently see is that an ICMP ECHO is going out, with 
proper NAT and IPsec appled. The reply gets in via IPsec fine, but is not 
NATted back properly any more.

I've tried the patch below to run NAT a second time after IPsec, but that 
doesn't do anything. I've also tried PFIL_OUT instead of PFIL_IN, but that 
resulted in a loop, just like running pfil_run_hooks() before the 
inetsw[].pr_input() calls. (I've tried all four combinations, no go)

I'm not sure where to go from there, esp. that the sending of the ICMP 
ECHO DTRT, and that only the receiving part causes trouble here.

Do you have an idea?


 - Hubert


Index: ip_input.c
===================================================================
RCS file: /cvsroot/src/sys/netinet/ip_input.c,v
retrieving revision 1.275.4.1
diff -u -r1.275.4.1 ip_input.c
--- ip_input.c  25 Nov 2008 04:04:38 -0000      1.275.4.1
+++ ip_input.c  25 Jun 2009 14:47:48 -0000
@@ -1057,6 +1057,26 @@
        int off = hlen, nh = ip->ip_p;

        (*inetsw[ip_protox[nh]].pr_input)(m, off, nh);
+
+       /* XXX HF: PFIL_HOOKS run #2 */
+       {
+               int rc;
+               printf("HF: running pfil_run_hooks()\n");
+               rc = pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif, 
PFIL_IN);
+               if (rc != 0) {
+                       printf("HF: bad: pfil_run_hooks returned %d\n", rc);
+                       goto bad;
+               } else {
+                       printf("HF: good: pfil_run_hooks returned %d\n", rc);
+               }
+               if (m == NULL) {
+                       printf("HF: bad: m == NULL\n");
+                       goto bad;
+               } else {
+                       printf("HF: good: m != NULL\n");
+               }
+       }
+
        return;
     }
 bad: