From owner-freebsd-net@freebsd.org Sun Jul 23 21:00:17 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7C8CBDAD318 for ; Sun, 23 Jul 2017 21:00:17 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 72A366F4D1 for ; Sun, 23 Jul 2017 21:00:17 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6NL01aS095987 for ; Sun, 23 Jul 2017 21:00:17 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201707232100.v6NL01aS095987@kenobi.freebsd.org> From: bugzilla-noreply@FreeBSD.org To: freebsd-net@FreeBSD.org Subject: Problem reports for freebsd-net@FreeBSD.org that need special attention Date: Sun, 23 Jul 2017 21:00:17 +0000 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Jul 2017 21:00:17 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- In Progress | 165622 | [ndis][panic][patch] Unregistered use of FPU in k In Progress | 206581 | bxe_ioctl_nvram handler is faulty New | 204438 | setsockopt() handling of kern.ipc.maxsockbuf limi New | 205592 | TCP processing in IPSec causes kernel panic New | 206053 | kqueue support code of netmap causes panic New | 213410 | [carp] service netif restart causes hang only whe New | 215874 | [patch] [icmp] [mbuf_tags] teach icmp_error() opt New | 217748 | sys/dev/ixgbe/if_ix.c: PVS-Studio: Assignment to New | 220076 | [patch] [panic] [netgraph] repeatable kernel pani Open | 173444 | socket: IPV6_USE_MIN_MTU and TCP is broken Open | 193452 | Dell PowerEdge 210 II -- Kernel panic bce (broadc Open | 194485 | Userland cannot add IPv6 prefix routes Open | 194515 | Fatal Trap 12 Kernel with vimage Open | 199136 | [if_tap] Added down_on_close sysctl variable to t Open | 202510 | [CARP] advertisements sourced from CARP IP cause Open | 206544 | sendmsg(2) (sendto(2) too?) can fail with EINVAL; Open | 211031 | [panic] in ng_uncallout when argument is NULL Open | 211962 | bxe driver queue soft hangs and flooding tx_soft_ 18 problems total for which you should take action. From owner-freebsd-net@freebsd.org Mon Jul 24 11:21:11 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2F614C7B1D0 for ; Mon, 24 Jul 2017 11:21:11 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward5o.cmail.yandex.net (forward5o.cmail.yandex.net [IPv6:2a02:6b8:0:1a72::28a]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C147564A20 for ; Mon, 24 Jul 2017 11:21:10 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp1o.mail.yandex.net (smtp1o.mail.yandex.net [37.140.190.26]) by forward5o.cmail.yandex.net (Yandex) with ESMTP id 5851F20E92; Mon, 24 Jul 2017 14:20:58 +0300 (MSK) Received: from smtp1o.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtp1o.mail.yandex.net (Yandex) with ESMTP id 587FB130050E; Mon, 24 Jul 2017 14:20:56 +0300 (MSK) Received: by smtp1o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id A7qBK1zAyD-KuNOGA5M; Mon, 24 Jul 2017 14:20:56 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1500895256; bh=u6IXQjAuX5PwIobjVgfjnmnWs7c+fRMkarpMGaYClhg=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=ZBPOcxTduSnpmeUyUM112swBmOZ6GkQPW8eOIeCwKxLOQjohlaRM+bDoHLz7iUDSo LTfPGMeqXwpTo0lvo3EMYT9NKCV0e2zl6orQDE8emhV0/yKRXy4l/LUDi3MTZjhMbd V9AFo4zulAGF6jL5Up5JNV62Ele0D6LGJD0jepuI= Authentication-Results: smtp1o.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0 Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: "Muenz, Michael" , freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: Date: Mon, 24 Jul 2017 14:18:25 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1 MIME-Version: 1.0 In-Reply-To: <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Qcuaj3v39TmoBVLO1d3NrWsCV9xmACmkx" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jul 2017 11:21:11 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Qcuaj3v39TmoBVLO1d3NrWsCV9xmACmkx Content-Type: multipart/mixed; boundary="rqv4iNSLN231c0avbcsNJ0E7XVn7fl75k"; protected-headers="v1" From: "Andrey V. Elsukov" To: "Muenz, Michael" , freebsd-net@freebsd.org Message-ID: Subject: Re: NAT before IPSEC - reply packets stuck at enc0 References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> In-Reply-To: <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> --rqv4iNSLN231c0avbcsNJ0E7XVn7fl75k Content-Type: multipart/mixed; boundary="------------7672A0159611E8D5F8F8B955" Content-Language: en-US This is a multi-part message in MIME format. --------------7672A0159611E8D5F8F8B955 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 22.07.2017 08:36, Muenz, Michael wrote: > Am 21.07.2017 um 13:08 schrieb Andrey V. Elsukov: >> >> With ipfw(4) it should work, at least on FreeBSD. pfsense/opensense ha= ve >> their own patches, so I don't know what can be wrong there. >> >=20 > I also tried 11.0 and 11.1RC3 vanilla kernels, no luck. > Will build a test setup with the OPNsense devs. >=20 > I'm still positive that this can't be a huge issue. >=20 > Thanks for your efforts Andrey! Ok, let's try to debug the problem. Please, use 11.1-RC, it has significantly changed IPsec stack. Apply attached patch to if_enc(4), it makes if_enc a bit useful for debugging your problem. You need to rebuild and reinstall sys/modules/if_enc. Now enable verbose BPF logging: net.enc.out.ipsec_bpf_mask=3D3 net.enc.in.ipsec_bpf_mask=3D3 According your tcpdump output, you need to set net.enc.out.ipsec_filter_mask=3D2 Show what you will see in the `tcpdump -nvi enc0` with such config options. Also, show what you have in the `sysctl net.inet.ip.fw` and `ipfw show` output. --=20 WBR, Andrey V. Elsukov --------------7672A0159611E8D5F8F8B955 Content-Type: text/x-patch; name="if_enc.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="if_enc.diff" Index: sys/net/if_enc.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- sys/net/if_enc.c (revision 321414) +++ sys/net/if_enc.c (working copy) @@ -223,10 +223,11 @@ enc_hhook(int32_t hhook_type, int32_t hhook_id, vo if (ctx->af !=3D hhook_id) return (EPFNOSUPPORT); =20 - if (((hhook_type =3D=3D HHOOK_TYPE_IPSEC_IN && - (ctx->enc & V_bpf_mask_in) !=3D 0) || + if ((ctx->enc & IPSEC_ENC_BEFORE) !=3D 0 && ( + (hhook_type =3D=3D HHOOK_TYPE_IPSEC_IN && + (V_bpf_mask_in & IPSEC_ENC_BEFORE) !=3D 0) || (hhook_type =3D=3D HHOOK_TYPE_IPSEC_OUT && - (ctx->enc & V_bpf_mask_out) !=3D 0)) && + (V_bpf_mask_out & IPSEC_ENC_BEFORE) !=3D 0)) && bpf_peers_present(ifp->if_bpf) !=3D 0) { hdr.af =3D ctx->af; hdr.spi =3D ctx->sav->spi; @@ -290,6 +291,23 @@ enc_hhook(int32_t hhook_type, int32_t hhook_id, vo return (EACCES); } (*ctx->mp)->m_pkthdr.rcvif =3D rcvif; + + if ((ctx->enc & IPSEC_ENC_AFTER) !=3D 0 && ( + (hhook_type =3D=3D HHOOK_TYPE_IPSEC_IN && + (V_bpf_mask_in & IPSEC_ENC_AFTER) !=3D 0) || + (hhook_type =3D=3D HHOOK_TYPE_IPSEC_OUT && + (V_bpf_mask_out & IPSEC_ENC_AFTER) !=3D 0)) && + bpf_peers_present(ifp->if_bpf) !=3D 0) { + hdr.af =3D ctx->af; + hdr.spi =3D ctx->sav->spi; + hdr.flags =3D 0; + if (ctx->sav->alg_enc !=3D SADB_EALG_NONE) + hdr.flags |=3D M_CONF; + if (ctx->sav->alg_auth !=3D SADB_AALG_NONE) + hdr.flags |=3D M_AUTH; + bpf_mtap2(ifp->if_bpf, &hdr, sizeof(hdr), *ctx->mp); + } + return (0); } =20 --------------7672A0159611E8D5F8F8B955-- --rqv4iNSLN231c0avbcsNJ0E7XVn7fl75k-- --Qcuaj3v39TmoBVLO1d3NrWsCV9xmACmkx Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAll114IACgkQAcXqBBDI oXojwQgAvjPXA3LLKwKQBB3UCePbSz+0llmXBNgycbuLpKdYNPm6G0Z9DoYq7O2a 60rLI35J4rht+pevxn1Sl/n1OXY1QfwCsvuWrHYwOSB5yLzBea2WLmTb5czl/Ao/ RWswjEwjkey6cykQvY0zDiG3dXyS10Srw5kS9CKrTU/jEABHdbeuq6+qsxSupHUN Kpnk6Sjfu+X2+uvudE7NmnecRTseCylN9TF5inoUFor6kbkdrZf1HEZMa/D/IhqZ JEnZUfuWPAxCMs761Xn9x7TkyrdT7Zc1rF/OyWQp1F3gvK+hwuJ7yOe3Zmu3ROOl ChRwPoqD2Mfa9wX+0fDhcjD006CbOw== =Jf5b -----END PGP SIGNATURE----- --Qcuaj3v39TmoBVLO1d3NrWsCV9xmACmkx-- From owner-freebsd-net@freebsd.org Mon Jul 24 11:30:12 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4ABC4C7B587 for ; Mon, 24 Jul 2017 11:30:12 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward2p.cmail.yandex.net (forward2p.cmail.yandex.net [IPv6:2a02:6b8:0:1465::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E213664D23 for ; Mon, 24 Jul 2017 11:30:11 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp4p.mail.yandex.net (smtp4p.mail.yandex.net [95.108.252.166]) by forward2p.cmail.yandex.net (Yandex) with ESMTP id C76A321110; Mon, 24 Jul 2017 14:30:00 +0300 (MSK) Received: from smtp4p.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtp4p.mail.yandex.net (Yandex) with ESMTP id EDB396501163; Mon, 24 Jul 2017 14:29:59 +0300 (MSK) Received: by smtp4p.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id AlU9qcvC4V-Tw5C2O0A; Mon, 24 Jul 2017 14:29:59 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1500895799; bh=HjbmlwIyixj8nT0tOzDjvy6aqgkzk7Kh5kNTzS8FzwY=; h=Subject:From:To:References:Message-ID:Date:In-Reply-To; b=Zxz+DMyA1Edrb3DGd0pTPP6VfiaH3MyKLoMZQCkDKx7PCD1isVofw60ZVEOYujytX W863O+9LsKMF1UDtooSnk6lGBnNlGREe/okbVhGSEbEitfW5weORdhUwElTAcfAYh2 j2wZPXCkwdor2jlauap7822J1PwbsB+gBgwl8nMo= Authentication-Results: smtp4p.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0 Subject: Re: NAT before IPSEC - reply packets stuck at enc0 From: "Andrey V. Elsukov" To: "Muenz, Michael" , freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: <20d02c54-b02d-3089-f065-0dcde24c49d5@yandex.ru> Date: Mon, 24 Jul 2017 14:27:28 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="r9Mn4LCtrMA7pXWmVoaOlJbdMg2D2NHis" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jul 2017 11:30:12 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --r9Mn4LCtrMA7pXWmVoaOlJbdMg2D2NHis Content-Type: multipart/mixed; boundary="4e9uCmxIoNcehwKmPIEGcLljrelxmJQ0n"; protected-headers="v1" From: "Andrey V. Elsukov" To: "Muenz, Michael" , freebsd-net@freebsd.org Message-ID: <20d02c54-b02d-3089-f065-0dcde24c49d5@yandex.ru> Subject: Re: NAT before IPSEC - reply packets stuck at enc0 References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> In-Reply-To: --4e9uCmxIoNcehwKmPIEGcLljrelxmJQ0n Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 24.07.2017 14:18, Andrey V. Elsukov wrote: > According your tcpdump output, you need to set > net.enc.out.ipsec_filter_mask=3D2 >=20 Sorry, this should be net.enc.in.ipsec_filter_mask=3D2 --=20 WBR, Andrey V. Elsukov --4e9uCmxIoNcehwKmPIEGcLljrelxmJQ0n-- --r9Mn4LCtrMA7pXWmVoaOlJbdMg2D2NHis Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAll12aEACgkQAcXqBBDI oXqfiAf/VBpdafodDZfMyHd7N4HJNPBQ1WpYKI2/ff0krjNBg48sY2Nkz4GPEjnS /MpXvbW4cyRq8JgrRRleglzLyDXFoYSxixNLANwD77HXw3Ved+VxyHRZ6sIFli2G MKEy02qmQ4ogNX9xV9yFWypbHAaUnb4dLgysAsuiDIzqlusxkptvc8T1xJOnbGjJ KwJdD3m5uJLZFfXQCkBhga/IaQxTQwYmD6b+WPK6TPfSOc+cBGIVIT90Sy7b8k3F I+CFXYnreA29tkMnuAVetY6r6PQhAEjBSYCqn9xgOZoMerk1c2H05bNh4vpZLWoi Gw9T+J5BUaqJ+Fo6e/7d0zTxBglOtQ== =uoHu -----END PGP SIGNATURE----- --r9Mn4LCtrMA7pXWmVoaOlJbdMg2D2NHis-- From owner-freebsd-net@freebsd.org Mon Jul 24 15:14:17 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 433D2CFC368 for ; Mon, 24 Jul 2017 15:14:17 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from mailout-02.maxonline.de (mailout-02.maxonline.de [81.24.66.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F0B7E6B73B for ; Mon, 24 Jul 2017 15:14:16 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from web03-01.max-it.de (web03-01.max-it.de [81.24.64.215]) by mailout-02.maxonline.de (Postfix) with ESMTPS id 919F54B for ; Mon, 24 Jul 2017 17:14:08 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by web03-01.max-it.de (Postfix) with ESMTP id 8196928B848 for ; Mon, 24 Jul 2017 17:14:08 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at web03-01.max-it.de Received: from web03-01.max-it.de ([127.0.0.1]) by localhost (web03-01.max-it.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id bytYUoLydfnO for ; Mon, 24 Jul 2017 17:14:07 +0200 (CEST) Received: from [81.24.66.132] (unknown [81.24.66.132]) (Authenticated sender: m.muenz@spam-fetish.org) by web03-01.max-it.de (Postfix) with ESMTPA id E91C628B847 for ; Mon, 24 Jul 2017 17:14:07 +0200 (CEST) Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> From: "Muenz, Michael" Message-ID: <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> Date: Mon, 24 Jul 2017 17:15:12 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jul 2017 15:14:17 -0000 Am 24.07.2017 um 13:18 schrieb Andrey V. Elsukov: > > Ok, let's try to debug the problem. Please, use 11.1-RC, it has > significantly changed IPsec stack. > > Apply attached patch to if_enc(4), it makes if_enc a bit useful for > debugging your problem. You need to rebuild and reinstall > sys/modules/if_enc. > > Now enable verbose BPF logging: > net.enc.out.ipsec_bpf_mask=3 > net.enc.in.ipsec_bpf_mask=3 > > According your tcpdump output, you need to set > net.enc.out.ipsec_filter_mask=2 > > Show what you will see in the `tcpdump -nvi enc0` with such config > options. Also, show what you have in the `sysctl net.inet.ip.fw` and > `ipfw show` output. > Great! The guys from OPNsense built me a custom 11.1 kernel with your patch. Here's one packet on enc0: root@PB-FW1-FRA:~ # tcpdump -vni enc0 tcpdump: listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 262144 bytes 17:07:41.769313 (authentic,confidential): SPI 0x90b7ba72: IP (tos 0x0, ttl 63, id 27752, offset 0, flags [none], proto ICMP (1), length 28, bad cksum b72d (->b82d)!) 10.26.1.1 > 10.24.66.25: ICMP echo request, id 41163, seq 28416, length 8 17:07:41.777223 (authentic,confidential): SPI 0xcaae18f8: IP (tos 0x0, ttl 58, id 44180, offset 0, flags [none], proto IPIP (4), length 48) 81.24.74.3 > 213.244.192.191: IP (tos 0x0, ttl 63, id 46327, offset 0, flags [none], proto ICMP (1), length 28) 10.24.66.25 > 10.26.1.1: ICMP echo reply, id 41163, seq 28416, length 8 17:07:41.777240 (authentic,confidential): SPI 0xcaae18f8: IP (tos 0x0, ttl 63, id 46327, offset 0, flags [none], proto ICMP (1), length 28) 10.26.1.1 > 10.26.1.1: ICMP echo reply, id 33347, seq 28416, length 8 17:07:41.846588 (authentic,confidential): SPI 0x90b7ba72: IP (tos 0x0, ttl 63, id 61607, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 32ee (->33ee)!) 10.26.1.1 > 10.24.66.25: ICMP echo request, id 45562, seq 58116, length 8 17:07:41.854692 (authentic,confidential): SPI 0xcaae18f8: IP (tos 0x0, ttl 58, id 44196, offset 0, flags [none], proto IPIP (4), length 48) 81.24.74.3 > 213.244.192.191: IP (tos 0x0, ttl 63, id 46335, offset 0, flags [none], proto ICMP (1), length 28) 10.24.66.25 > 10.26.1.1: ICMP echo reply, id 45562, seq 58116, length 8 17:07:41.854706 (authentic,confidential): SPI 0xcaae18f8: IP (tos 0x0, ttl 63, id 46335, offset 0, flags [none], proto ICMP (1), length 28) 10.26.1.1 > 10.26.1.1: ICMP echo reply, id 40754, seq 58116, length 8 ipfw show: root@PB-FW1-FRA:~ # ipfw show 00100 0 0 allow pfsync from any to any 00110 0 0 allow carp from any to any 00120 0 0 allow ip from any to any layer2 mac-type 0x0806,0x8035 00130 0 0 allow ip from any to any layer2 mac-type 0x888e,0x88c7 00140 0 0 allow ip from any to any layer2 mac-type 0x8863,0x8864 00150 0 0 deny ip from any to any layer2 not mac-type 0x0800,0x86dd 00179 410 11480 nat 1 log ip from 10.26.2.0/24 to 10.24.66.0/24 00179 414 11816 nat 1 log ip from 10.24.66.0/24 to 10.26.1.1 in recv enc0 00200 0 0 skipto 60000 ip6 from ::1 to any 00201 44 41006 skipto 60000 ip4 from 127.0.0.0/8 to any 00202 0 0 skipto 60000 ip6 from any to ::1 00203 0 0 skipto 60000 ip4 from any to 127.0.0.0/8 01002 0 0 skipto 60000 udp from any to 10.26.1.1 dst-port 53 keep-state 01002 4 336 skipto 60000 ip from any to { 255.255.255.255 or 10.26.1.1 } in 01002 463 14672 skipto 60000 ip from { 255.255.255.255 or 10.26.1.1 } to any out 01002 0 0 skipto 60000 icmp from { 255.255.255.255 or 10.26.1.1 } to any out icmptypes 0 01002 0 0 skipto 60000 icmp from any to { 255.255.255.255 or 10.26.1.1 } in icmptypes 8 06000 5131 4476281 skipto 60000 tcp from any to any out 06199 10768 1914882 skipto 60000 ip from any to any 30000 0 0 count ip from any to any 60000 0 0 return ip from any to any 60001 0 0 queue 10000 tcp from any to 10.24.66.0/24 via enc0 65533 16410 6447177 allow ip from any to any 65534 0 0 deny ip from any to any 65535 0 0 deny ip from any to any sysctl: net.enc.out.ipsec_bpf_mask: 3 net.enc.out.ipsec_filter_mask: 1 net.enc.in.ipsec_bpf_mask: 3 net.enc.in.ipsec_filter_mask: 2 net.enc.out.ipsec_bpf_mask: 3 net.enc.out.ipsec_filter_mask: 1 net.enc.in.ipsec_bpf_mask: 3 net.enc.in.ipsec_filter_mask: 2 root@PB-FW1-FRA:~ # sysctl net.inet.ip.fw net.inet.ip.fw.dyn_keep_states: 0 net.inet.ip.fw.dyn_keepalive: 1 net.inet.ip.fw.dyn_short_lifetime: 5 net.inet.ip.fw.dyn_udp_lifetime: 10 net.inet.ip.fw.dyn_rst_lifetime: 1 net.inet.ip.fw.dyn_fin_lifetime: 1 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_max: 16384 net.inet.ip.fw.dyn_count: 0 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.enable: 1 net.inet.ip.fw.static_count: 25 net.inet.ip.fw.default_to_accept: 0 net.inet.ip.fw.tables_sets: 0 net.inet.ip.fw.tables_max: 128 net.inet.ip.fw.default_rule: 65535 net.inet.ip.fw.verbose_limit: 0 net.inet.ip.fw.verbose: 0 net.inet.ip.fw.autoinc_step: 100 net.inet.ip.fw.one_pass: 0 Thanks! Michael -- www.muenz-it.de - Cisco, Linux, Networks From owner-freebsd-net@freebsd.org Mon Jul 24 17:04:33 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C8517CFEAA1 for ; Mon, 24 Jul 2017 17:04:33 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward1p.cmail.yandex.net (forward1p.cmail.yandex.net [IPv6:2a02:6b8:0:1465::11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 626356FA54 for ; Mon, 24 Jul 2017 17:04:33 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp1p.mail.yandex.net (smtp1p.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b6:6]) by forward1p.cmail.yandex.net (Yandex) with ESMTP id D7F9120EA3; Mon, 24 Jul 2017 20:04:20 +0300 (MSK) Received: from smtp1p.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtp1p.mail.yandex.net (Yandex) with ESMTP id 066B4178081E; Mon, 24 Jul 2017 20:04:19 +0300 (MSK) Received: by smtp1p.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id nLQRL88Mru-4IW4sndQ; Mon, 24 Jul 2017 20:04:18 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1500915858; bh=S5v/pad/6nn4/bquGJz1h3CQMKm2okr6d8e0OsIBauU=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=VcYuNVB3wb9nqj3tUxboUuOD7lfeFtpX5iR/6SifvuaJEMylieIPT5Wn9DftEVbQt Qov5cDLno8YdA6EaLo9nK2q7rJr3W6Zst92Q+ZbVSHEOXgBJ1n4NNII0guL9qK/ljH DapssXDynQJfF4xM1GpBx+R7wUOVg5I2csH1vw20= Authentication-Results: smtp1p.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0 Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: "Muenz, Michael" , freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> Date: Mon, 24 Jul 2017 20:01:43 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1 MIME-Version: 1.0 In-Reply-To: <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="jvfTDvirmlaJGBPxNr3dhpX7QVijMJoVU" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jul 2017 17:04:33 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --jvfTDvirmlaJGBPxNr3dhpX7QVijMJoVU Content-Type: multipart/mixed; boundary="IKu0VOrDjIEbXVU5JuGrenKVoaMVI1f5N"; protected-headers="v1" From: "Andrey V. Elsukov" To: "Muenz, Michael" , freebsd-net@freebsd.org Message-ID: <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> Subject: Re: NAT before IPSEC - reply packets stuck at enc0 References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> In-Reply-To: <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> --IKu0VOrDjIEbXVU5JuGrenKVoaMVI1f5N Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 24.07.2017 18:15, Muenz, Michael wrote: > Here's one packet on enc0: >=20 >=20 > root@PB-FW1-FRA:~ # tcpdump -vni enc0 > tcpdump: listening on enc0, link-type ENC (OpenBSD encapsulated IP), > capture size 262144 bytes > 17:07:41.769313 (authentic,confidential): SPI 0x90b7ba72: IP (tos 0x0, > ttl 63, id 27752, offset 0, flags [none], proto ICMP (1), length 28, ba= d > cksum b72d (->b82d)!) > 10.26.1.1 > 10.24.66.25: ICMP echo request, id 41163, seq 28416, > length 8 > 17:07:41.777223 (authentic,confidential): SPI 0xcaae18f8: IP (tos 0x0, > ttl 58, id 44180, offset 0, flags [none], proto IPIP (4), length 48) > 81.24.74.3 > 213.244.192.191: IP (tos 0x0, ttl 63, id 46327, offset= > 0, flags [none], proto ICMP (1), length 28) > 10.24.66.25 > 10.26.1.1: ICMP echo reply, id 41163, seq 28416, leng= th 8 > 17:07:41.777240 (authentic,confidential): SPI 0xcaae18f8: IP (tos 0x0, > ttl 63, id 46327, offset 0, flags [none], proto ICMP (1), length 28) > 10.26.1.1 > 10.26.1.1: ICMP echo reply, id 33347, seq 28416, length= 8 This does not match with what I expected to see. The reply here should be something like "10.24.66.25 > 10.26.2.N: ICMP echo reply". It seems the problem is with ipfw_nat, that for both directions thinks that packets are inbound and this leads to incorrect translation. Can you modify your IPsec security policies, so outgoing packets from 10.26.2.0/24 will go through the same tunnel? Then you need to modify nat rule: ipfw nat 1 config ip 10.26.1.1 ipfw add 179 nat 1 log ip from 10.26.2.0/24 to 10.24.66.0/24 out xmit enc= 0 ipfw add 179 nat 1 log ip from 10.24.66.0/24 to 10.26.1.1 in recv enc0 --=20 WBR, Andrey V. Elsukov --IKu0VOrDjIEbXVU5JuGrenKVoaMVI1f5N-- --jvfTDvirmlaJGBPxNr3dhpX7QVijMJoVU Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAll2J/cACgkQAcXqBBDI oXpZwAf/bq4Dpl4rkS08d3HCag23ZaDYtgjh93Pa9N/CdraPN4z4uFUO0yK67tFr NQ0khLM9l3X7Pvx90xEYsYsc26j9alMtrvL9iYbZTjsFpuU18dDnMVJkEc0QlBPC 6ROoFd8n14CmHeCSaJELc9jvptULpIjgwCAmyhC2ue5jhusXY9IfKE/LGjr5tb6X WpJYLpwXPzZxA8qAL+xFaGl54i7QGCV+/7r60IQYG5JHs9XQOm9bp3H/FvbprQ9c Nq8NAaIad9AhZb0iQBBNjIA4WfPOFAgeHgaYZfWz/qiIpG8lkJ/YakkrKKAIEjTp VyanFVvHqKTcGCqzJ2nRCf9SV/L5hQ== =ZJOU -----END PGP SIGNATURE----- --jvfTDvirmlaJGBPxNr3dhpX7QVijMJoVU-- From owner-freebsd-net@freebsd.org Mon Jul 24 21:29:17 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 675D4DA4828 for ; Mon, 24 Jul 2017 21:29:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 559A77D36B for ; Mon, 24 Jul 2017 21:29:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6OLTGBk009130 for ; Mon, 24 Jul 2017 21:29:17 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 220980] [panic] panic when destroying vlan interface with traffic Date: Mon, 24 Jul 2017 21:29:16 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-net@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jul 2017 21:29:17 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220980 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-bugs@FreeBSD.org |freebsd-net@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-net@freebsd.org Mon Jul 24 21:37:05 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8F0BADA4C38 for ; Mon, 24 Jul 2017 21:37:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7D4257D817 for ; Mon, 24 Jul 2017 21:37:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6OLb59W028227 for ; Mon, 24 Jul 2017 21:37:05 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 220980] [panic] panic when destroying vlan interface with traffic Date: Mon, 24 Jul 2017 21:37:05 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: mjoras@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-net@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jul 2017 21:37:05 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220980 Matt Joras changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mjoras@freebsd.org --- Comment #1 from Matt Joras --- This should be fixed by https://reviews.freebsd.org/D11370 Feel free to test the diff if you'd like. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-net@freebsd.org Mon Jul 24 21:37:28 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D4171DA4CE0 for ; Mon, 24 Jul 2017 21:37:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C27CA7D8CF for ; Mon, 24 Jul 2017 21:37:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6OLbR0g028761 for ; Mon, 24 Jul 2017 21:37:28 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 220860] Double loading of the if_bridge module causes panic Date: Mon, 24 Jul 2017 21:37:28 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 11.0-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-net@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jul 2017 21:37:28 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220860 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-bugs@FreeBSD.org |freebsd-net@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-net@freebsd.org Mon Jul 24 21:38:12 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A5611DA4E05 for ; Mon, 24 Jul 2017 21:38:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 925BA7DA09 for ; Mon, 24 Jul 2017 21:38:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6OLcChS029801 for ; Mon, 24 Jul 2017 21:38:12 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 220980] [panic] panic when destroying vlan interface with traffic Date: Mon, 24 Jul 2017 21:38:12 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: mjoras@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-net@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jul 2017 21:38:12 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220980 --- Comment #2 from Matt Joras --- I should note, the fix is not committed yet. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-net@freebsd.org Mon Jul 24 21:45:12 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A0AF3DA91E4 for ; Mon, 24 Jul 2017 21:45:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8F7777DEF4 for ; Mon, 24 Jul 2017 21:45:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6OLjCP9051270 for ; Mon, 24 Jul 2017 21:45:12 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 220980] [panic] panic when destroying vlan interface with traffic Date: Mon, 24 Jul 2017 21:45:12 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kxie@xiplink.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-net@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jul 2017 21:45:12 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220980 --- Comment #3 from Kun Xie --- (In reply to Matt Joras from comment #2) Great! I'll try it. Thanks! --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-net@freebsd.org Mon Jul 24 22:09:06 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B4E17DA9943 for ; Mon, 24 Jul 2017 22:09:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A2B157EA4C for ; Mon, 24 Jul 2017 22:09:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6OM95aL021755 for ; Mon, 24 Jul 2017 22:09:06 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 217637] One TCP connection accepted TWO times Date: Mon, 24 Jul 2017 22:09:05 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: needs-qa X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: freebsd@ruka.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: tuexen@freebsd.org X-Bugzilla-Flags: mfc-stable10? mfc-stable11+ X-Bugzilla-Changed-Fields: cc attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jul 2017 22:09:06 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217637 Richard Russo changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |freebsd@ruka.org --- Comment #87 from Richard Russo --- Created attachment 184680 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D184680&action= =3Dedit patch to not send acks in this case We've recently started hitting this at WhatsApp as well. I've applied the syncookie patches from CURRENT to 10.3 manually, and it successfully preven= ts this from happening as long as the syncache hasn't overflowed recently or b= een disabled. Unfortunately, if the syncache does overflow, when this case does happen, o= nce the connection is re-opened, the connection states on each peer are out of sync, and each peer will respond to a packet with unreasonable seq/ack data= by sending an empty ack with the current seq/ack; the other peer will find this unreasonable and the resulting packet storms were causing availability problems. I've attached a patch we've been running on a few machines. With this, when= the connections do get into this state, we don't contribute to the packet storm; instead, the connection will end up eventually closing without sending very many packets. I have some complete connection pcaps available (from before patching), and= can share them (after masking IPs and tcp payloads) if they'll be useful. From = the traces I've seen, we're getting many retransmits from the peer (or a middlebox), and also the peer ends the connection soon after opening, by sending a FIN. Our host acks the FIN and also closes with a FIN. After the peer's ack of our FIN, we receive a new ACK that's a retransmit of the orig= inal ACK, and reopen the connection at the connection original SEQ/ACK, while the peer is in TIME_WAIT at the final SEQ/ACK. In the traces I was able to capt= ure, the peers were mobile devices across the world and on high latency links. --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-net@freebsd.org Tue Jul 25 04:07:51 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2A812DB499B for ; Tue, 25 Jul 2017 04:07:51 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 19580666D9 for ; Tue, 25 Jul 2017 04:07:51 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6P47our030117 for ; Tue, 25 Jul 2017 04:07:50 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 217637] One TCP connection accepted TWO times Date: Tue, 25 Jul 2017 04:07:51 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: needs-qa X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: freebsd@ruka.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: tuexen@freebsd.org X-Bugzilla-Flags: mfc-stable10? mfc-stable11+ X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jul 2017 04:07:51 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217637 --- Comment #88 from Richard Russo --- Also, I had intended to include a link to a similar change in the Linux ker= nel, https://github.com/torvalds/linux/commit/96e0bf4b5193d0d97d139f99e2dd128763= d55521 (Although the comments there say this behavior is consistent with the RFC, I don't think it is consistent however, the RFC says, "If the ACK acks someth= ing not yet sent (SEG.ACK > SND.NXT) then send an ACK, drop the segment, and return.") --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-net@freebsd.org Tue Jul 25 07:35:48 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C7C49DBCE17 for ; Tue, 25 Jul 2017 07:35:48 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from mailout-02.maxonline.de (mailout-02.maxonline.de [81.24.66.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 81A396C0B3 for ; Tue, 25 Jul 2017 07:35:47 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from web03-01.max-it.de (web03-01.max-it.de [81.24.64.215]) by mailout-02.maxonline.de (Postfix) with ESMTPS id C21EE4A for ; Tue, 25 Jul 2017 09:35:45 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by web03-01.max-it.de (Postfix) with ESMTP id BC59E28B849 for ; Tue, 25 Jul 2017 09:35:45 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at web03-01.max-it.de Received: from web03-01.max-it.de ([127.0.0.1]) by localhost (web03-01.max-it.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id JOECMN4SlUSU for ; Tue, 25 Jul 2017 09:35:45 +0200 (CEST) Received: from [81.24.66.132] (unknown [81.24.66.132]) (Authenticated sender: m.muenz@spam-fetish.org) by web03-01.max-it.de (Postfix) with ESMTPA id 8B8B328B847 for ; Tue, 25 Jul 2017 09:35:45 +0200 (CEST) Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> From: "Muenz, Michael" Message-ID: Date: Tue, 25 Jul 2017 09:36:50 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jul 2017 07:35:48 -0000 Am 24.07.2017 um 19:01 schrieb Andrey V. Elsukov: > > .1.1: ICMP echo reply, id 33347, seq 28416, length 8 > This does not match with what I expected to see. The reply here should > be something like "10.24.66.25 > 10.26.2.N: ICMP echo reply". > > It seems the problem is with ipfw_nat, that for both directions thinks > that packets are inbound and this leads to incorrect translation. > > Can you modify your IPsec security policies, so outgoing packets from > 10.26.2.0/24 will go through the same tunnel? Then you need to modify > nat rule: > > ipfw nat 1 config ip 10.26.1.1 > ipfw add 179 nat 1 log ip from 10.26.2.0/24 to 10.24.66.0/24 out xmit enc0 > ipfw add 179 nat 1 log ip from 10.24.66.0/24 to 10.26.1.1 in recv enc0 > Hi, when I change it to out xmit enc0 nothing happens because the packets have to math the IPSEC SA before entering the tunnel (and enc0 I guess). So it has to be in recv vtnet1 to be more precise, but then it's the same result: 09:29:11.092932 (authentic,confidential): SPI 0x2478d746: IP (tos 0x0, ttl 63, id 54367, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 4f36 (->5036)!) 10.26.1.1 > 10.24.66.25: ICMP echo request, id 48914, seq 34304, length 8 09:29:11.101524 (authentic,confidential): SPI 0xce702ac1: IP (tos 0x0, ttl 58, id 51185, offset 0, flags [none], proto IPIP (4), length 48) 81.24.74.3 > 213.244.192.191: IP (tos 0x0, ttl 63, id 5299, offset 0, flags [none], proto ICMP (1), length 28) 10.24.66.25 > 10.26.1.1: ICMP echo reply, id 48914, seq 34304, length 8 09:29:11.101535 (authentic,confidential): SPI 0xce702ac1: IP (tos 0x0, ttl 63, id 5299, offset 0, flags [none], proto ICMP (1), length 28) 10.26.1.1 > 10.26.1.1: ICMP echo reply, id 33409, seq 34304, length 8 Thanks, Michael From owner-freebsd-net@freebsd.org Tue Jul 25 08:25:47 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A9DEADBDB46 for ; Tue, 25 Jul 2017 08:25:47 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward3j.cmail.yandex.net (forward3j.cmail.yandex.net [5.255.227.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 460E46D5A4 for ; Tue, 25 Jul 2017 08:25:46 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp2j.mail.yandex.net (smtp2j.mail.yandex.net [IPv6:2a02:6b8:0:801::ac]) by forward3j.cmail.yandex.net (Yandex) with ESMTP id C325620F0F; Tue, 25 Jul 2017 11:25:37 +0300 (MSK) Received: from smtp2j.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtp2j.mail.yandex.net (Yandex) with ESMTP id A63BF3EC0F7B; Tue, 25 Jul 2017 11:25:28 +0300 (MSK) Received: by smtp2j.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id EyNVhkFY9q-PRYaVqfn; Tue, 25 Jul 2017 11:25:27 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1500971127; bh=ABN8dew9bwGWNdZwWrA+j1zve89a+7S7NE/rBuqU9V8=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=qD9GvXQEOZtNvhIujGt/r+Vs7wlSdM1cccRRq2DxuErWlXGeKD2PCnCHV+N8dLUg3 xVReXHiTahC31QyKYTisFrQZA46gy9i25LG8DdKnWS9EL4N6Dqt28E0dK1y3kXzTbI zp8yiX16TbwVhFZElBICNRhAhQuz/UHOcs4luyM0= Authentication-Results: smtp2j.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0 Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: "Muenz, Michael" , freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru> Date: Tue, 25 Jul 2017 11:22:49 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="I64HfSqiGlCeOfli5nrFgB1En4jU6eN5I" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jul 2017 08:25:47 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --I64HfSqiGlCeOfli5nrFgB1En4jU6eN5I Content-Type: multipart/mixed; boundary="8T1qC2HHavVhSkEFa4RFAU8NsGeTl98Am"; protected-headers="v1" From: "Andrey V. Elsukov" To: "Muenz, Michael" , freebsd-net@freebsd.org Message-ID: <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru> Subject: Re: NAT before IPSEC - reply packets stuck at enc0 References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> In-Reply-To: --8T1qC2HHavVhSkEFa4RFAU8NsGeTl98Am Content-Type: multipart/mixed; boundary="------------A5B3023F169B70506BD3C49B" Content-Language: en-US This is a multi-part message in MIME format. --------------A5B3023F169B70506BD3C49B Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 25.07.2017 10:36, Muenz, Michael wrote: > Am 24.07.2017 um 19:01 schrieb Andrey V. Elsukov: >> >> .1.1: ICMP echo reply, id 33347, seq 28416, length 8 >> This does not match with what I expected to see. The reply here should= >> be something like "10.24.66.25 > 10.26.2.N: ICMP echo reply". >> >> It seems the problem is with ipfw_nat, that for both directions thinks= >> that packets are inbound and this leads to incorrect translation. >> >> Can you modify your IPsec security policies, so outgoing packets from >> 10.26.2.0/24 will go through the same tunnel? Then you need to modify >> nat rule: >> >> ipfw nat 1 config ip 10.26.1.1 >> ipfw add 179 nat 1 log ip from 10.26.2.0/24 to 10.24.66.0/24 out xmit >> enc0 >> ipfw add 179 nat 1 log ip from 10.24.66.0/24 to 10.26.1.1 in recv enc0= >> >=20 > Hi, >=20 > when I change it to >=20 > out xmit enc0 >=20 > nothing happens because the packets have to math the IPSEC SA before > entering the tunnel (and enc0 I guess). > So it has to be >=20 > in recv vtnet1 ICMP request should be matched by outbound IPsec policy. Looking to your tcpdump, you use tunnel IPsec mode. So, how this should work: * 10.26.2.N sends ICMP request to 10.24.66.25 * 10.26.1.1 handles it by tunnel mode IPsec security policy, something li= ke: spdadd -4 10.26.2.0/24 10.24.66.0/24 any -P out ipsec \ esp/tunnel/213.244.192.191-81.24.74.3/require; * IPsec code does lookup for IPsec SA and uses something like: add 213.244.192.191 81.24.74.3 esp 0x2478d746 -m tunnel -E ...; * Then if_enc(4) pfil handler is called and now you need to do address translation (with net.enc.out.ipsec_filter_mask=3D1), and in tcpdump you should see not yet translated packet: 10.26.2.N > 10.24.66.25: ICMP echo request .... * Then IPsec code does IP encapsulation and you will see: 213.244.192.191 > 81.24.74.3: IPIP ... 10.26.1.1 > 10.24.66.25: ICMP echo request (in my previous patch was a bug, and you did not see outbound packet two times in tcpdump, I attached new patch where it is fixed) * Then IPsec sends encrypted packet to 81.24.74.3. * The second host sends ICMP reply to 10.26.1.1. * 213.244.192.191 recieves encrypted packet and does IPsec SA lookup, it should have something like: add 81.24.74.3 213.244.192.191 esp 0xce702ac1 -m tunnel -E ...; * IPsec code does decryption and if_enc(4) hook is called, and you will see in the tcpdump: 81.24.74.3 > 213.244.192.191: IPIP ... 10.24.66.25 > 10.26.1.1: ICMP echo reply * Since we use net.enc.out.ipsec_filter_mask=3D2, this packet will not be= handled by firewall and IPsec will do IP decapsultion, and then will pass decapsulated packet to the pfil where it will be translated: 10.24.66.25 > 10.26.2.N: ICMP echo reply .... * Then this packet goes to ip_input() -> ip_forward() processing. To avoid extra IPsec processing you should have no security policy that matches "10.24.66.25 > 10.26.2.N" packet, or this should be policy that requires "none" IPsec processing. * Then ip_forward() sends this packet to 10.26.2.N. --=20 WBR, Andrey V. Elsukov --------------A5B3023F169B70506BD3C49B Content-Type: text/x-patch; name="if_enc.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="if_enc.diff" Index: sys/net/if_enc.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- sys/net/if_enc.c (revision 321414) +++ sys/net/if_enc.c (working copy) @@ -223,10 +223,11 @@ enc_hhook(int32_t hhook_type, int32_t hhook_id, vo if (ctx->af !=3D hhook_id) return (EPFNOSUPPORT); =20 - if (((hhook_type =3D=3D HHOOK_TYPE_IPSEC_IN && - (ctx->enc & V_bpf_mask_in) !=3D 0) || + if ((ctx->enc & IPSEC_ENC_BEFORE) !=3D 0 && ( + (hhook_type =3D=3D HHOOK_TYPE_IPSEC_IN && + (V_bpf_mask_in & IPSEC_ENC_BEFORE) !=3D 0) || (hhook_type =3D=3D HHOOK_TYPE_IPSEC_OUT && - (ctx->enc & V_bpf_mask_out) !=3D 0)) && + (V_bpf_mask_out & IPSEC_ENC_BEFORE) !=3D 0)) && bpf_peers_present(ifp->if_bpf) !=3D 0) { hdr.af =3D ctx->af; hdr.spi =3D ctx->sav->spi; @@ -247,7 +248,7 @@ enc_hhook(int32_t hhook_type, int32_t hhook_id, vo (*ctx->mp)->m_pkthdr.len); } if ((ctx->enc & V_filter_mask_in) =3D=3D 0) - return (0); /* skip pfil processing */ + goto handle_bpf; /* skip pfil processing */ pdir =3D PFIL_IN; break; case HHOOK_TYPE_IPSEC_OUT: @@ -258,7 +259,7 @@ enc_hhook(int32_t hhook_type, int32_t hhook_id, vo (*ctx->mp)->m_pkthdr.len); } if ((ctx->enc & V_filter_mask_out) =3D=3D 0) - return (0); /* skip pfil processing */ + goto handle_bpf; /* skip pfil processing */ pdir =3D PFIL_OUT; break; default: @@ -280,7 +281,7 @@ enc_hhook(int32_t hhook_type, int32_t hhook_id, vo ph =3D NULL; } if (ph =3D=3D NULL || !PFIL_HOOKED(ph)) - return (0); + goto handle_bpf; /* Make a packet looks like it was received on enc(4) */ rcvif =3D (*ctx->mp)->m_pkthdr.rcvif; (*ctx->mp)->m_pkthdr.rcvif =3D ifp; @@ -290,6 +291,24 @@ enc_hhook(int32_t hhook_type, int32_t hhook_id, vo return (EACCES); } (*ctx->mp)->m_pkthdr.rcvif =3D rcvif; + +handle_bpf: + if ((ctx->enc & IPSEC_ENC_AFTER) !=3D 0 && ( + (hhook_type =3D=3D HHOOK_TYPE_IPSEC_IN && + (V_bpf_mask_in & IPSEC_ENC_AFTER) !=3D 0) || + (hhook_type =3D=3D HHOOK_TYPE_IPSEC_OUT && + (V_bpf_mask_out & IPSEC_ENC_AFTER) !=3D 0)) && + bpf_peers_present(ifp->if_bpf) !=3D 0) { + hdr.af =3D ctx->af; + hdr.spi =3D ctx->sav->spi; + hdr.flags =3D 0; + if (ctx->sav->alg_enc !=3D SADB_EALG_NONE) + hdr.flags |=3D M_CONF; + if (ctx->sav->alg_auth !=3D SADB_AALG_NONE) + hdr.flags |=3D M_AUTH; + bpf_mtap2(ifp->if_bpf, &hdr, sizeof(hdr), *ctx->mp); + } + return (0); } =20 --------------A5B3023F169B70506BD3C49B-- --8T1qC2HHavVhSkEFa4RFAU8NsGeTl98Am-- --I64HfSqiGlCeOfli5nrFgB1En4jU6eN5I Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAll2/9kACgkQAcXqBBDI oXoB/wf/Y7/5VpSG7v8h8pACw6Iyh/ZGCUoqGtsSLEp9WRFjW7kgP5rz+rFQrblj igHaPHFtUIRc30JV7BH3jLklXcjmm+2LELs77zbYl8SeOF0qQ5c6nBsjloBZpF8K gFou4alGdfCoCOn852KYs3tNB16Zg1gvJqeHxJSMS4mCtzslqUfuS0nvc6fu1kX7 61V3ONhEaAg2yze0WZtqX+lzlqWQwFjSwVwkOTiGUlBlPGaToWWUF+HfAcV6iGkD ePLrgJ4iuurNlC2919CuqXXZvX/cowfuFWxvfZ0Jf/nZd3yW3hGo/+uOdq7gioXx XhuWnqz4uJvsX8bTx+g8icdjMA9kJg== =W92W -----END PGP SIGNATURE----- --I64HfSqiGlCeOfli5nrFgB1En4jU6eN5I-- From owner-freebsd-net@freebsd.org Tue Jul 25 08:42:54 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D2EC4DBDEFC for ; Tue, 25 Jul 2017 08:42:54 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from mailout-02.maxonline.de (mailout-02.maxonline.de [81.24.66.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8BB046DC52 for ; Tue, 25 Jul 2017 08:42:54 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from web03-01.max-it.de (web03-01.max-it.de [81.24.64.215]) by mailout-02.maxonline.de (Postfix) with ESMTPS id 3D9D34A for ; Tue, 25 Jul 2017 10:42:52 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by web03-01.max-it.de (Postfix) with ESMTP id 2A05228B849 for ; Tue, 25 Jul 2017 10:42:52 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at web03-01.max-it.de Received: from web03-01.max-it.de ([127.0.0.1]) by localhost (web03-01.max-it.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id K0CNwK8J5pvF for ; Tue, 25 Jul 2017 10:42:51 +0200 (CEST) Received: from [81.24.66.132] (unknown [81.24.66.132]) (Authenticated sender: m.muenz@spam-fetish.org) by web03-01.max-it.de (Postfix) with ESMTPA id EF36328B847 for ; Tue, 25 Jul 2017 10:42:51 +0200 (CEST) Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru> From: "Muenz, Michael" Message-ID: Date: Tue, 25 Jul 2017 10:43:56 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jul 2017 08:42:54 -0000 Am 25.07.2017 um 10:22 schrieb Andrey V. Elsukov: > > ICMP request should be matched by outbound IPsec policy. Looking to your > tcpdump, you use tunnel IPsec mode. So, how this should work: > > * 10.26.2.N sends ICMP request to 10.24.66.25 > > * 10.26.1.1 handles it by tunnel mode IPsec security policy, something like: > spdadd -4 10.26.2.0/24 10.24.66.0/24 any -P out ipsec \ > esp/tunnel/213.244.192.191-81.24.74.3/require; > * IPsec code does lookup for IPsec SA and uses something like: > add 213.244.192.191 81.24.74.3 esp 0x2478d746 -m tunnel -E ...; Thanks for the detailed explaination! I only know the insights with Linux, but what I try to achieve is, not to build a SA fpr 10.26.2.0 to 10.24.66.0. So IMHO the address rewriting from 10.26.2 to 10.26.1 should be done before getting to the IPSEC process. In Linux a packet not matching a SA would simply be dropped by kernel or throw a "NO PROPOSAL CHOSEN" since there's no known SA for 10.26.2.0 to 10.24.66.0. I'll try to reach out the OPNsense guys if they are willing to patch a new kernel for me. Thanks! Michael From owner-freebsd-net@freebsd.org Tue Jul 25 12:16:51 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A93FAC7A874 for ; Tue, 25 Jul 2017 12:16:51 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from mailout-02.maxonline.de (mailout-02.maxonline.de [81.24.66.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 63A59743FA for ; Tue, 25 Jul 2017 12:16:51 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from web03-01.max-it.de (web03-01.max-it.de [81.24.64.215]) by mailout-02.maxonline.de (Postfix) with ESMTPS id E0ABA4A; Tue, 25 Jul 2017 14:16:48 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by web03-01.max-it.de (Postfix) with ESMTP id CCCA128B849; Tue, 25 Jul 2017 14:16:48 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at web03-01.max-it.de Received: from web03-01.max-it.de ([127.0.0.1]) by localhost (web03-01.max-it.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 8ijp_85B7Dyt; Tue, 25 Jul 2017 14:16:48 +0200 (CEST) Received: from [81.24.66.132] (unknown [81.24.66.132]) (Authenticated sender: m.muenz@spam-fetish.org) by web03-01.max-it.de (Postfix) with ESMTPA id 8E83728B847; Tue, 25 Jul 2017 14:16:48 +0200 (CEST) Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru> From: "Muenz, Michael" Message-ID: <860b48aa-b99e-7b71-3724-587ee0a7fe80@spam-fetish.org> Date: Tue, 25 Jul 2017 14:17:53 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jul 2017 12:16:51 -0000 Am 25.07.2017 um 10:43 schrieb Muenz, Michael: > Am 25.07.2017 um 10:22 schrieb Andrey V. Elsukov: >> >> ICMP request should be matched by outbound IPsec policy. Looking to your >> tcpdump, you use tunnel IPsec mode. So, how this should work: >> >> * 10.26.2.N sends ICMP request to 10.24.66.25 >> >> * 10.26.1.1 handles it by tunnel mode IPsec security policy, >> something like: >> spdadd -4 10.26.2.0/24 10.24.66.0/24 any -P out ipsec \ >> esp/tunnel/213.244.192.191-81.24.74.3/require; >> * IPsec code does lookup for IPsec SA and uses something like: >> add 213.244.192.191 81.24.74.3 esp 0x2478d746 -m tunnel -E ...; > > Thanks for the detailed explaination! I only know the insights with > Linux, but what I try to achieve is, not to build a SA fpr 10.26.2.0 > to 10.24.66.0. > So IMHO the address rewriting from 10.26.2 to 10.26.1 should be done > before getting to the IPSEC process. > In Linux a packet not matching a SA would simply be dropped by kernel > or throw a "NO PROPOSAL CHOSEN" since there's no known SA for > 10.26.2.0 to 10.24.66.0. > > I'll try to reach out the OPNsense guys if they are willing to patch a > new kernel for me. > > Thanks! > > Michael This is the output with the new kernel: 14:02:53.960436 (authentic,confidential): SPI 0xdeda7104: IP (tos 0x0, ttl 63, id 6287, offset 0, flags [none], proto ICMP (1), length 28, bad cksum b07 (->c07)!) 10.26.1.1 > 10.24.66.25: ICMP echo request, id 38600, seq 0, length 8 14:02:53.960460 (authentic,confidential): SPI 0xdeda7104: IP (tos 0x0, ttl 64, id 32607, offset 0, flags [none], proto IPIP (4), length 48, bad cksum 0 (->c99b)!) 213.244.192.191 > 81.24.74.3: IP (tos 0x0, ttl 63, id 6287, offset 0, flags [none], proto ICMP (1), length 28) 10.26.1.1 > 10.24.66.25: ICMP echo request, id 38600, seq 0, length 8 14:02:53.968634 (authentic,confidential): SPI 0xcdea472d: IP (tos 0x0, ttl 58, id 18352, offset 0, flags [none], proto IPIP (4), length 48) 81.24.74.3 > 213.244.192.191: IP (tos 0x0, ttl 63, id 38328, offset 0, flags [none], proto ICMP (1), length 28) 10.24.66.25 > 10.26.1.1: ICMP echo reply, id 38600, seq 0, length 8 14:02:53.968653 (authentic,confidential): SPI 0xcdea472d: IP (tos 0x0, ttl 63, id 38328, offset 0, flags [none], proto ICMP (1), length 28) 10.26.1.1 > 10.26.1.1: ICMP echo reply, id 44919, seq 0, length 8 So the most specific nat rule in order to get the packet into enc0 is: ipfw nat 1 config ip 10.26.1.1 log reverse ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 in recv vtnet1 ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0 Thanks! Michael From owner-freebsd-net@freebsd.org Tue Jul 25 13:07:10 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 89BD7C7BE08 for ; Tue, 25 Jul 2017 13:07:10 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward3m.cmail.yandex.net (forward3m.cmail.yandex.net [5.255.216.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 241DF7657E for ; Tue, 25 Jul 2017 13:07:09 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp2j.mail.yandex.net (smtp2j.mail.yandex.net [IPv6:2a02:6b8:0:801::ac]) by forward3m.cmail.yandex.net (Yandex) with ESMTP id CF0DE210A9; Tue, 25 Jul 2017 16:07:05 +0300 (MSK) Received: from smtp2j.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtp2j.mail.yandex.net (Yandex) with ESMTP id 38A0F3EC1176; Tue, 25 Jul 2017 16:06:59 +0300 (MSK) Received: by smtp2j.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id 3j40SKlXyB-6wYGrWw1; Tue, 25 Jul 2017 16:06:58 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1500988018; bh=rvtrYksE4esL8S1P72M9zakp3Y8dq6J/oG62q8NHowI=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=s/fnxPw+Dn6IgiGpiTBwFRehF6sJBLqLUXhvUzIIH1hl7WXaCFzY1FejClm228SqQ nAJbl2GOY1BXB3JhYNtNTwitNOZE4BPnImD283esmGlihgo4Huzl0uQkw02O2HrhoO X5Kt579AaOdNJCVmMpbCy8T+Id9CbjbWKT2LR7K8= Authentication-Results: smtp2j.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0 Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: "Muenz, Michael" , freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru> <860b48aa-b99e-7b71-3724-587ee0a7fe80@spam-fetish.org> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: <1b831b84-1d3f-38cb-acee-07a339315417@yandex.ru> Date: Tue, 25 Jul 2017 16:04:24 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1 MIME-Version: 1.0 In-Reply-To: <860b48aa-b99e-7b71-3724-587ee0a7fe80@spam-fetish.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="jrsdn1IOse63sP203C3ehgDAiE8NG7MJO" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jul 2017 13:07:10 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --jrsdn1IOse63sP203C3ehgDAiE8NG7MJO Content-Type: multipart/mixed; boundary="4WKEsO2edLwn6NSwgNAxU0dXx95bGmUHx"; protected-headers="v1" From: "Andrey V. Elsukov" To: "Muenz, Michael" , freebsd-net@freebsd.org Message-ID: <1b831b84-1d3f-38cb-acee-07a339315417@yandex.ru> Subject: Re: NAT before IPSEC - reply packets stuck at enc0 References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru> <860b48aa-b99e-7b71-3724-587ee0a7fe80@spam-fetish.org> In-Reply-To: <860b48aa-b99e-7b71-3724-587ee0a7fe80@spam-fetish.org> --4WKEsO2edLwn6NSwgNAxU0dXx95bGmUHx Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 25.07.2017 15:17, Muenz, Michael wrote: >>> * 10.26.2.N sends ICMP request to 10.24.66.25 >>> >>> * 10.26.1.1 handles it by tunnel mode IPsec security policy, >>> something like: >>> spdadd -4 10.26.2.0/24 10.24.66.0/24 any -P out ipsec \ >>> esp/tunnel/213.244.192.191-81.24.74.3/require; >>> * IPsec code does lookup for IPsec SA and uses something like: >>> add 213.244.192.191 81.24.74.3 esp 0x2478d746 -m tunnel -E ...; >> >> Thanks for the detailed explaination! I only know the insights with >> Linux, but what I try to achieve is, not to build a SA fpr 10.26.2.0 >> to 10.24.66.0. >> So IMHO the address rewriting from 10.26.2 to 10.26.1 should be done >> before getting to the IPSEC process. >> In Linux a packet not matching a SA would simply be dropped by kernel >> or throw a "NO PROPOSAL CHOSEN" since there's no known SA for >> 10.26.2.0 to 10.24.66.0. As I said already, the NAT thinks that both packets are inbound and does translation for source address each time. You need to do translation for both directions on enc0 interface like I described, or you need to somehow hack/modify ipfw_nat. You do not need to create SA for 10.26.2.0->10.24.66.0, you only need create security policy, that will "route" such packets into the IPsec tunnel. The translation will be done inside IPsec before IP encapsulation and encryption. Since you are using tunnel mode IPsec, replies will be returned to your external IP address, and this SA is exists already. After decryption and IP decapsulation the destination address of packet will be translated back to 10.26.2.N on if_enc(4). > 14:02:53.960436 (authentic,confidential): SPI 0xdeda7104: IP (tos 0x0, > ttl 63, id 6287, offset 0, flags [none], proto ICMP (1), length 28, bad= > cksum b07 (->c07)!) > 10.26.1.1 > 10.24.66.25: ICMP echo request, id 38600, seq 0, length= 8 ^^^ - this address must be 10.26.2.N, and it will be translated on "out xmit enc0". > 14:02:53.960460 (authentic,confidential): SPI 0xdeda7104: IP (tos 0x0, > ttl 64, id 32607, offset 0, flags [none], proto IPIP (4), length 48, ba= d > cksum 0 (->c99b)!) > 213.244.192.191 > 81.24.74.3: IP (tos 0x0, ttl 63, id 6287, offset > 0, flags [none], proto ICMP (1), length 28) > 10.26.1.1 > 10.24.66.25: ICMP echo request, id 38600, seq 0, length= 8 ^^^ - and here it will become 10.26.1.1 after translation. > 14:02:53.968634 (authentic,confidential): SPI 0xcdea472d: IP (tos 0x0, > ttl 58, id 18352, offset 0, flags [none], proto IPIP (4), length 48) > 81.24.74.3 > 213.244.192.191: IP (tos 0x0, ttl 63, id 38328, offset= > 0, flags [none], proto ICMP (1), length 28) > 10.24.66.25 > 10.26.1.1: ICMP echo reply, id 38600, seq 0, length 8= ^^^ - here your gateway receives the reply and will do IP decapsulaton. > 14:02:53.968653 (authentic,confidential): SPI 0xcdea472d: IP (tos 0x0, > ttl 63, id 38328, offset 0, flags [none], proto ICMP (1), length 28) > 10.26.1.1 > 10.26.1.1: ICMP echo reply, id 44919, seq 0, length 8 ^^^ - here packet will be translated back on "in recv enc0" and will have the following addresses: 10.24.66.25 > 10.26.2.N >=20 > So the most specific nat rule in order to get the packet into enc0 is: >=20 > ipfw nat 1 config ip 10.26.1.1 log reverse > ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 in recv > vtnet1 > ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0= ipfw nat 1 config ip 10.26.1.1 log ipfw add 179 nat 1 all from 10.26.2.0/24 to 10.24.66.0/24 out xmit enc0 ipfw add 179 nat 1 all from 10.24.66.0/24 to 10.26.1.1 in recv enc0 --=20 WBR, Andrey V. Elsukov --4WKEsO2edLwn6NSwgNAxU0dXx95bGmUHx-- --jrsdn1IOse63sP203C3ehgDAiE8NG7MJO Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAll3QdgACgkQAcXqBBDI oXqjxgf/eoFhfgtmK5jLb2nzgqVQfiMlEvLqJlApS5OToB2h/vHPzFb30mkMi9Ts fJ9K/0M+kcntnSmbNKhZrC1lJowaleV+n8cYHKkjsj5CaNBnieWPMg+p92V0YcUq lsXeDH3kYExEW9dGE3/FMSl0cmAMa8nARQ8CpsVXp2Nl0jKoc8T5E8AvOeQEdW++ sNF8cwpIokbfNewrYrqQ3Csis2XzAnCEBL6HN7oT+Imajx9lVWdp09vhSlTdLjJl 3TBW/RSEqcCHnVqkqkune4jlTf22TuU8bHPVzuMsJAdpbTv+q4HkKaCqIia0aXYl 0ocA3ZX2wgltznN66A93wDpDeAmthg== =LF5I -----END PGP SIGNATURE----- --jrsdn1IOse63sP203C3ehgDAiE8NG7MJO-- From owner-freebsd-net@freebsd.org Tue Jul 25 14:05:36 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 286A5C7D24E for ; Tue, 25 Jul 2017 14:05:36 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from mailout-02.maxonline.de (mailout-02.maxonline.de [81.24.66.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D37427C9E6 for ; Tue, 25 Jul 2017 14:05:35 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from web03-01.max-it.de (web03-01.max-it.de [81.24.64.215]) by mailout-02.maxonline.de (Postfix) with ESMTPS id A6A914A; Tue, 25 Jul 2017 16:05:33 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by web03-01.max-it.de (Postfix) with ESMTP id 9DA4F28B849; Tue, 25 Jul 2017 16:05:33 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at web03-01.max-it.de Received: from web03-01.max-it.de ([127.0.0.1]) by localhost (web03-01.max-it.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id C4EwptdRPskt; Tue, 25 Jul 2017 16:05:33 +0200 (CEST) Received: from [81.24.66.132] (unknown [81.24.66.132]) (Authenticated sender: m.muenz@spam-fetish.org) by web03-01.max-it.de (Postfix) with ESMTPA id 576D928B847; Tue, 25 Jul 2017 16:05:33 +0200 (CEST) Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: "Andrey V. Elsukov" , freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru> <860b48aa-b99e-7b71-3724-587ee0a7fe80@spam-fetish.org> <1b831b84-1d3f-38cb-acee-07a339315417@yandex.ru> From: "Muenz, Michael" Message-ID: <0bbf5bb9-8089-f9ce-3b1d-e9bcbdbc6c76@spam-fetish.org> Date: Tue, 25 Jul 2017 16:06:37 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <1b831b84-1d3f-38cb-acee-07a339315417@yandex.ru> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jul 2017 14:05:36 -0000 Am 25.07.2017 um 15:04 schrieb Andrey V. Elsukov: > On 25.07.2017 15:17, Muenz, Michael wrote: >>>> * 10.26.2.N sends ICMP request to 10.24.66.25 >>>> >>>> * 10.26.1.1 handles it by tunnel mode IPsec security policy, >>>> something like: >>>> spdadd -4 10.26.2.0/24 10.24.66.0/24 any -P out ipsec \ >>>> esp/tunnel/213.244.192.191-81.24.74.3/require; >>>> * IPsec code does lookup for IPsec SA and uses something like: >>>> add 213.244.192.191 81.24.74.3 esp 0x2478d746 -m tunnel -E ...; >>> Thanks for the detailed explaination! I only know the insights with >>> Linux, but what I try to achieve is, not to build a SA fpr 10.26.2.0 >>> to 10.24.66.0. >>> So IMHO the address rewriting from 10.26.2 to 10.26.1 should be done >>> before getting to the IPSEC process. >>> In Linux a packet not matching a SA would simply be dropped by kernel >>> or throw a "NO PROPOSAL CHOSEN" since there's no known SA for >>> 10.26.2.0 to 10.24.66.0. > As I said already, the NAT thinks that both packets are inbound and does > translation for source address each time. You need to do translation for > both directions on enc0 interface like I described, or you need to > somehow hack/modify ipfw_nat. > > You do not need to create SA for 10.26.2.0->10.24.66.0, you only need > create security policy, that will "route" such packets into the IPsec > tunnel. The translation will be done inside IPsec before IP > encapsulation and encryption. Since you are using tunnel mode IPsec, > replies will be returned to your external IP address, and this SA is > exists already. After decryption and IP decapsulation the destination > address of packet will be translated back to 10.26.2.N on if_enc(4). Can I use this spdadd command also when using strongswan? (Please excuse stupid questions) > >> 14:02:53.960436 (authentic,confidential): SPI 0xdeda7104: IP (tos 0x0, >> ttl 63, id 6287, offset 0, flags [none], proto ICMP (1), length 28, bad >> cksum b07 (->c07)!) >> 10.26.1.1 > 10.24.66.25: ICMP echo request, id 38600, seq 0, length 8 > ^^^ - this address must be 10.26.2.N, and it will be > translated on "out xmit enc0". > >> 14:02:53.960460 (authentic,confidential): SPI 0xdeda7104: IP (tos 0x0, >> ttl 64, id 32607, offset 0, flags [none], proto IPIP (4), length 48, bad >> cksum 0 (->c99b)!) >> 213.244.192.191 > 81.24.74.3: IP (tos 0x0, ttl 63, id 6287, offset >> 0, flags [none], proto ICMP (1), length 28) >> 10.26.1.1 > 10.24.66.25: ICMP echo request, id 38600, seq 0, length 8 > ^^^ - and here it will become 10.26.1.1 after translation. > >> 14:02:53.968634 (authentic,confidential): SPI 0xcdea472d: IP (tos 0x0, >> ttl 58, id 18352, offset 0, flags [none], proto IPIP (4), length 48) >> 81.24.74.3 > 213.244.192.191: IP (tos 0x0, ttl 63, id 38328, offset >> 0, flags [none], proto ICMP (1), length 28) >> 10.24.66.25 > 10.26.1.1: ICMP echo reply, id 38600, seq 0, length 8 > ^^^ - here your gateway receives the reply and > will do IP decapsulaton. > >> 14:02:53.968653 (authentic,confidential): SPI 0xcdea472d: IP (tos 0x0, >> ttl 63, id 38328, offset 0, flags [none], proto ICMP (1), length 28) >> 10.26.1.1 > 10.26.1.1: ICMP echo reply, id 44919, seq 0, length 8 > ^^^ - here packet will be translated back on "in recv enc0" and > will have the following addresses: 10.24.66.25 > 10.26.2.N > >> So the most specific nat rule in order to get the packet into enc0 is: >> >> ipfw nat 1 config ip 10.26.1.1 log reverse >> ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 in recv >> vtnet1 >> ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0 > ipfw nat 1 config ip 10.26.1.1 log > ipfw add 179 nat 1 all from 10.26.2.0/24 to 10.24.66.0/24 out xmit enc0 > ipfw add 179 nat 1 all from 10.24.66.0/24 to 10.26.1.1 in recv enc0 > Ok so your 3 nat commands will only match when there's a new spd like above right? Since there's nothing on enc0 without it. Thanks Michael From owner-freebsd-net@freebsd.org Tue Jul 25 15:41:38 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8C3C0C7F06B for ; Tue, 25 Jul 2017 15:41:38 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward3o.cmail.yandex.net (forward3o.cmail.yandex.net [IPv6:2a02:6b8:0:1a72::288]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 20EB380284 for ; Tue, 25 Jul 2017 15:41:37 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp4j.mail.yandex.net (smtp4j.mail.yandex.net [5.45.198.129]) by forward3o.cmail.yandex.net (Yandex) with ESMTP id 7650520EE4; Tue, 25 Jul 2017 18:41:33 +0300 (MSK) Received: from smtp4j.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtp4j.mail.yandex.net (Yandex) with ESMTP id 90C4932406D8; Tue, 25 Jul 2017 18:41:31 +0300 (MSK) Received: by smtp4j.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id MVghxjkod1-fVQq8pia; Tue, 25 Jul 2017 18:41:31 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1500997291; bh=2SwzTR+pfDervEZfaKQU7aFki/WO8mwSm+m10RhO2sM=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=l1QJCdvOjEC6Cq7Sydig4fCr8Qj5G8ndVexJ9NO7RVWlSDSBpSBLVn8Hu7U1kq4Ot oT9WaojfWXfuLJkac9ro6YJ4aZnJ1c1uUZhnwd+G+nbpEbS3MNSkQ0t9P9hjtkOJKM j5CQLGnfbSvcVlUEWb5BrMz5Hc2fZ4zNt25CvHmY= Authentication-Results: smtp4j.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0 Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: "Muenz, Michael" , freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru> <860b48aa-b99e-7b71-3724-587ee0a7fe80@spam-fetish.org> <1b831b84-1d3f-38cb-acee-07a339315417@yandex.ru> <0bbf5bb9-8089-f9ce-3b1d-e9bcbdbc6c76@spam-fetish.org> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: Date: Tue, 25 Jul 2017 18:38:51 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1 MIME-Version: 1.0 In-Reply-To: <0bbf5bb9-8089-f9ce-3b1d-e9bcbdbc6c76@spam-fetish.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="UOXTRanMpkUPuc85obSMXmjMn7ps3B6tB" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jul 2017 15:41:38 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --UOXTRanMpkUPuc85obSMXmjMn7ps3B6tB Content-Type: multipart/mixed; boundary="La8rlHWCDGBFpEd4FhTXQGmhTlIUR1Cv4"; protected-headers="v1" From: "Andrey V. Elsukov" To: "Muenz, Michael" , freebsd-net@freebsd.org Message-ID: Subject: Re: NAT before IPSEC - reply packets stuck at enc0 References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru> <860b48aa-b99e-7b71-3724-587ee0a7fe80@spam-fetish.org> <1b831b84-1d3f-38cb-acee-07a339315417@yandex.ru> <0bbf5bb9-8089-f9ce-3b1d-e9bcbdbc6c76@spam-fetish.org> In-Reply-To: <0bbf5bb9-8089-f9ce-3b1d-e9bcbdbc6c76@spam-fetish.org> --La8rlHWCDGBFpEd4FhTXQGmhTlIUR1Cv4 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 25.07.2017 17:06, Muenz, Michael wrote: >> As I said already, the NAT thinks that both packets are inbound and do= es >> translation for source address each time. You need to do translation f= or >> both directions on enc0 interface like I described, or you need to >> somehow hack/modify ipfw_nat. >> >> You do not need to create SA for 10.26.2.0->10.24.66.0, you only need >> create security policy, that will "route" such packets into the IPsec >> tunnel. The translation will be done inside IPsec before IP >> encapsulation and encryption. Since you are using tunnel mode IPsec, >> replies will be returned to your external IP address, and this SA is >> exists already. After decryption and IP decapsulation the destination >> address of packet will be translated back to 10.26.2.N on if_enc(4). >=20 > Can I use this spdadd command also when using strongswan? (Please excus= e > stupid questions) I'm not familiar with strongswan configuration, but you can just try and check that the proposed configuration will work. >> ipfw nat 1 config ip 10.26.1.1 log >> ipfw add 179 nat 1 all from 10.26.2.0/24 to 10.24.66.0/24 out xmit enc= 0 >> ipfw add 179 nat 1 all from 10.24.66.0/24 to 10.26.1.1 in recv enc0 >> >=20 > Ok so your 3 nat commands will only match when there's a new spd like > above right? > Since there's nothing on enc0 without it. Yes, it is. A security policy will route requests from 10.26.2.0/24 into IPsec tunnel, where they should be translated, and then replies will be received. --=20 WBR, Andrey V. Elsukov --La8rlHWCDGBFpEd4FhTXQGmhTlIUR1Cv4-- --UOXTRanMpkUPuc85obSMXmjMn7ps3B6tB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAll3ZgsACgkQAcXqBBDI oXr3dggAwKt+Yt/s/73yQbhakUfuuUpqGkFqtfBhkWupSAxgqFd/frulKm9kcr6L DzQhdHWD6PARq/aaiJQRpaTjmjhPWeZUEoQBlrXX74kC/BAidHkPSN+W19A7jGsV CTfA4xA5tb5holOulYgRuR7591d9zIW2FL5cj8rLuLJe9FJgN2og67Tgfi5mynBO OiqkoTfNJ+TNqndRsaJNZjTURgW6PJ+xm8HmQWBGBBYLoKAklpotsOaDikb31xVp gBVa6qLqiZjTqjzfGkfaJQX2j6MdZr/D5XyixdsON9O6YaULu2/RU3e5yRqmfcW1 tGjrO83i5S5cQp3V7bFHk46tiyhBLQ== =1kw6 -----END PGP SIGNATURE----- --UOXTRanMpkUPuc85obSMXmjMn7ps3B6tB-- From owner-freebsd-net@freebsd.org Wed Jul 26 03:24:06 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 88546DAF971 for ; Wed, 26 Jul 2017 03:24:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 696C472D1B for ; Wed, 26 Jul 2017 03:24:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6Q3O6WX029262 for ; Wed, 26 Jul 2017 03:24:06 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 220980] [panic] panic when destroying vlan interface with traffic Date: Wed, 26 Jul 2017 03:24:06 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: koobs@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-net@FreeBSD.org X-Bugzilla-Flags: mfc-stable10? mfc-stable11? X-Bugzilla-Changed-Fields: bug_file_loc flagtypes.name bug_status Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2017 03:24:06 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220980 Kubilay Kocak changed: What |Removed |Added ---------------------------------------------------------------------------- URL| |https://reviews.freebsd.org | |/D11370 Flags| |mfc-stable10?, | |mfc-stable11? Status|New |Open --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-net@freebsd.org Wed Jul 26 03:24:16 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3BC15DAF983 for ; Wed, 26 Jul 2017 03:24:16 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 272EE72D87 for ; Wed, 26 Jul 2017 03:24:16 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6Q3OF1V029534 for ; Wed, 26 Jul 2017 03:24:16 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 220980] [panic] panic when destroying vlan interface with traffic Date: Wed, 26 Jul 2017 03:24:16 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-RELEASE X-Bugzilla-Keywords: crash, needs-qa X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: koobs@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-net@FreeBSD.org X-Bugzilla-Flags: mfc-stable10? mfc-stable11? X-Bugzilla-Changed-Fields: keywords Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2017 03:24:16 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220980 Kubilay Kocak changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |crash, needs-qa --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-net@freebsd.org Wed Jul 26 03:24:48 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C6B0EDAFA59 for ; Wed, 26 Jul 2017 03:24:48 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AE1D672EA4 for ; Wed, 26 Jul 2017 03:24:48 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6Q3OmXm030498 for ; Wed, 26 Jul 2017 03:24:48 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 220860] Double loading of the if_bridge module causes panic Date: Wed, 26 Jul 2017 03:24:48 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 11.0-STABLE X-Bugzilla-Keywords: crash, needs-qa X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: koobs@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-net@FreeBSD.org X-Bugzilla-Flags: mfc-stable10? mfc-stable11? X-Bugzilla-Changed-Fields: flagtypes.name bug_status keywords Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2017 03:24:48 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220860 Kubilay Kocak changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |mfc-stable10?, | |mfc-stable11? Status|New |Open Keywords| |crash, needs-qa --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-net@freebsd.org Wed Jul 26 07:23:01 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8AF4CDB37E9 for ; Wed, 26 Jul 2017 07:23:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 78F947CE8E for ; Wed, 26 Jul 2017 07:23:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6Q7N1Ca050062 for ; Wed, 26 Jul 2017 07:23:01 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 220980] [panic] panic when destroying vlan interface with traffic Date: Wed, 26 Jul 2017 07:23:01 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-RELEASE X-Bugzilla-Keywords: crash, needs-qa X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: bugzilla.freebsd@omnilan.de X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-net@FreeBSD.org X-Bugzilla-Flags: mfc-stable10? mfc-stable11? X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2017 07:23:01 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220980 Harald Schmalzbauer changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bugzilla.freebsd@omnilan.de --- Comment #4 from Harald Schmalzbauer --- (In reply to Matt Joras from comment #1) Just wanted too drop a note that I've been using it for a month in a semi-productive machine. It's working fine, haven't found any regression, but wasn't suffering from = the former locking deficiencies also. So not much weight this note, but worth posting I hope ;-) -harry --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-net@freebsd.org Wed Jul 26 09:46:41 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5EB91DB6438 for ; Wed, 26 Jul 2017 09:46:41 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from mailout-02.maxonline.de (mailout-02.maxonline.de [81.24.66.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0A36C80FFB for ; Wed, 26 Jul 2017 09:46:40 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from web03-01.max-it.de (web03-01.max-it.de [81.24.64.215]) by mailout-02.maxonline.de (Postfix) with ESMTPS id 5F1214B; Wed, 26 Jul 2017 11:46:32 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by web03-01.max-it.de (Postfix) with ESMTP id 4ECFA28B848; Wed, 26 Jul 2017 11:46:32 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at web03-01.max-it.de Received: from web03-01.max-it.de ([127.0.0.1]) by localhost (web03-01.max-it.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id a_fZCWVkRc31; Wed, 26 Jul 2017 11:46:32 +0200 (CEST) Received: from [81.24.66.132] (unknown [81.24.66.132]) (Authenticated sender: m.muenz@spam-fetish.org) by web03-01.max-it.de (Postfix) with ESMTPA id 1575028B847; Wed, 26 Jul 2017 11:46:32 +0200 (CEST) Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru> <860b48aa-b99e-7b71-3724-587ee0a7fe80@spam-fetish.org> <1b831b84-1d3f-38cb-acee-07a339315417@yandex.ru> <0bbf5bb9-8089-f9ce-3b1d-e9bcbdbc6c76@spam-fetish.org> From: "Muenz, Michael" Message-ID: <3a7d5a5b-3b72-4cfe-2d8e-c832f7bfab5c@spam-fetish.org> Date: Wed, 26 Jul 2017 11:47:36 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2017 09:46:41 -0000 Am 25.07.2017 um 17:38 schrieb Andrey V. Elsukov: > On 25.07.2017 17:06, Muenz, Michael wrote: >>> As I said already, the NAT thinks that both packets are inbound and does >>> translation for source address each time. You need to do translation for >>> both directions on enc0 interface like I described, or you need to >>> somehow hack/modify ipfw_nat. >>> >>> You do not need to create SA for 10.26.2.0->10.24.66.0, you only need >>> create security policy, that will "route" such packets into the IPsec >>> tunnel. The translation will be done inside IPsec before IP >>> encapsulation and encryption. Since you are using tunnel mode IPsec, >>> replies will be returned to your external IP address, and this SA is >>> exists already. After decryption and IP decapsulation the destination >>> address of packet will be translated back to 10.26.2.N on if_enc(4). >> Can I use this spdadd command also when using strongswan? (Please excuse >> stupid questions) > I'm not familiar with strongswan configuration, but you can just try and > check that the proposed configuration will work. When I type setkey -PD I get: 10.24.66.0/24[any] 10.26.1.0/24[any] any in ipsec esp/tunnel/81.24.74.3-213.244.192.191/unique:2 created: Jul 26 11:03:53 2017 lastused: Jul 26 11:40:02 2017 lifetime: 9223372036854775807(s) validtime: 0(s) spid=5 seq=1 pid=4292 refcnt=1 10.26.1.0/24[any] 10.24.66.0/24[any] any out ipsec esp/tunnel/213.244.192.191-81.24.74.3/unique:2 created: Jul 26 11:03:53 2017 lastused: Jul 26 11:40:02 2017 lifetime: 9223372036854775807(s) validtime: 0(s) spid=6 seq=0 pid=4292 refcnt=1 So it's in use. But when I type in your command it just "hangs". Not the system, but the command doesn't get completed. root@PB-FW1-FRA:~ # setkey -v -c spdadd -4 10.26.2.0/24 10.24.66.0/24 any -P out ipsec esp/tunnel/213.244.192.191-81.24.74.3/require ; dmesg and syslog is clean, no error. Also adding the -v for verbose doesn't output anything. Will have to investigate on this. > >>> ipfw nat 1 config ip 10.26.1.1 log >>> ipfw add 179 nat 1 all from 10.26.2.0/24 to 10.24.66.0/24 out xmit enc0 >>> ipfw add 179 nat 1 all from 10.24.66.0/24 to 10.26.1.1 in recv enc0 >>> >> Ok so your 3 nat commands will only match when there's a new spd like >> above right? >> Since there's nothing on enc0 without it. > Yes, it is. A security policy will route requests from 10.26.2.0/24 into > IPsec tunnel, where they should be translated, and then replies will be > received. > Ok, then it's clear why it doesn't work. Thanks for you efforts! Will debug with the OPNsense dev's to catch this one .. Michael From owner-freebsd-net@freebsd.org Wed Jul 26 10:23:32 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DEBE0DB6EFD for ; Wed, 26 Jul 2017 10:23:32 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward2j.cmail.yandex.net (forward2j.cmail.yandex.net [IPv6:2a02:6b8:0:1630::15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 719B28200C for ; Wed, 26 Jul 2017 10:23:32 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp4j.mail.yandex.net (smtp4j.mail.yandex.net [IPv6:2a02:6b8:0:1619::15:6]) by forward2j.cmail.yandex.net (Yandex) with ESMTP id 58F9820BEA; Wed, 26 Jul 2017 13:23:29 +0300 (MSK) Received: from smtp4j.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtp4j.mail.yandex.net (Yandex) with ESMTP id BCE7132410E3; Wed, 26 Jul 2017 13:23:02 +0300 (MSK) Received: by smtp4j.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id 0tBg1jw8yC-N1Um0L3A; Wed, 26 Jul 2017 13:23:01 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1501064581; bh=vRgn4yKelrISx7m8ijP3KRVu9yV+v8ZoGfHFRYhniAg=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=f7IzZaW6vrsmFTuzggD0OkqDeZNm8s1601kddFVaRQ5762kgUFAic52WYFyYMH5nY zICFH8WT84OyXCMIgVJaLEeLyniXb4tmxhA4FGpW67kon4pHtueSJQHO13F5gPjAWT pQo03TyCahJ/afvRiocckVYPQt1lf0PsC7v9XI2Y= Authentication-Results: smtp4j.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0 Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: "Muenz, Michael" , freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru> <860b48aa-b99e-7b71-3724-587ee0a7fe80@spam-fetish.org> <1b831b84-1d3f-38cb-acee-07a339315417@yandex.ru> <0bbf5bb9-8089-f9ce-3b1d-e9bcbdbc6c76@spam-fetish.org> <3a7d5a5b-3b72-4cfe-2d8e-c832f7bfab5c@spam-fetish.org> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: <2672efbc-49f2-efba-07d6-feeb5c8e3757@yandex.ru> Date: Wed, 26 Jul 2017 13:20:23 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1 MIME-Version: 1.0 In-Reply-To: <3a7d5a5b-3b72-4cfe-2d8e-c832f7bfab5c@spam-fetish.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="KTku6E83IiNAwI8fFTSlIMxH5QMdS3WaB" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2017 10:23:33 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --KTku6E83IiNAwI8fFTSlIMxH5QMdS3WaB Content-Type: multipart/mixed; boundary="Uwkop2JDIUdsxAMKW56xT5iwUQCK7AK7f"; protected-headers="v1" From: "Andrey V. Elsukov" To: "Muenz, Michael" , freebsd-net@freebsd.org Message-ID: <2672efbc-49f2-efba-07d6-feeb5c8e3757@yandex.ru> Subject: Re: NAT before IPSEC - reply packets stuck at enc0 References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru> <860b48aa-b99e-7b71-3724-587ee0a7fe80@spam-fetish.org> <1b831b84-1d3f-38cb-acee-07a339315417@yandex.ru> <0bbf5bb9-8089-f9ce-3b1d-e9bcbdbc6c76@spam-fetish.org> <3a7d5a5b-3b72-4cfe-2d8e-c832f7bfab5c@spam-fetish.org> In-Reply-To: <3a7d5a5b-3b72-4cfe-2d8e-c832f7bfab5c@spam-fetish.org> --Uwkop2JDIUdsxAMKW56xT5iwUQCK7AK7f Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 26.07.2017 12:47, Muenz, Michael wrote: > When I type setkey -PD I get: >=20 > 10.24.66.0/24[any] 10.26.1.0/24[any] any > in ipsec > esp/tunnel/81.24.74.3-213.244.192.191/unique:2 > created: Jul 26 11:03:53 2017 lastused: Jul 26 11:40:02 2017 > lifetime: 9223372036854775807(s) validtime: 0(s) > spid=3D5 seq=3D1 pid=3D4292 > refcnt=3D1 > 10.26.1.0/24[any] 10.24.66.0/24[any] any > out ipsec > esp/tunnel/213.244.192.191-81.24.74.3/unique:2 > created: Jul 26 11:03:53 2017 lastused: Jul 26 11:40:02 2017 > lifetime: 9223372036854775807(s) validtime: 0(s) > spid=3D6 seq=3D0 pid=3D4292 > refcnt=3D1 >=20 >=20 > So it's in use. >=20 > But when I type in your command it just "hangs". Not the system, but th= e > command doesn't get completed. >=20 > root@PB-FW1-FRA:~ # setkey -v -c spdadd -4 10.26.2.0/24 10.24.66.0/24 > any -P out ipsec esp/tunnel/213.244.192.191-81.24.74.3/require ; > You need to do it this way: 1. setkey -v -c 2. type the policy specification 3. press Enter and then press ^D # setkey -v -c spdadd -4 10.26.2.0/24 10.24.66.0/24 any -P out ipsec esp/tunnel/213.244.192.191-81.24.74.3/unique:2 ; ^D Also, since your policies uses "unique" level, you need to specify the same level using "unique:N" syntax. Also if it is interesting to you, I patched ipfw_nat to be able specify needed direction. The patch is untested at all :) https://people.freebsd.org/~ae/nat_in_out.diff You need to rebuild ipfw(4) and ipfw_nat(4) kernel modules, and also ipfw(8) binary. With this patch you can use the following commands: ipfw nat 1 config ip 10.26.1.1 log ipfw add 179 nat-out 1 all from 10.26.2.0/24 to 10.24.66.0/24 in recv vtn= et1 ipfw add 179 nat-in 1 all from 10.24.66.0/24 to 10.26.1.1 in recv enc0 or these: ipfw nat 1 config ip 10.26.1.1 log reverse ipfw add 179 nat-in 1 all from 10.26.2.0/24 to 10.24.66.0/24 in recv vtne= t1 ipfw add 179 nat-out 1 all from 10.24.66.0/24 to 10.26.1.1 in recv enc0 Or maybe guys from OpenSense can help with testing. --=20 WBR, Andrey V. Elsukov --Uwkop2JDIUdsxAMKW56xT5iwUQCK7AK7f-- --KTku6E83IiNAwI8fFTSlIMxH5QMdS3WaB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAll4bOcACgkQAcXqBBDI oXqF/Qf+MuC1dSCmhz9Yenv0ygR8/tL3Hx1HQ3k7VbT7Zsm+q2dVY1D+VoSbVIMq COPTADflXhE7mzwIxopEaat262gfg+FOl7XDSR6AK2ZaBUMjG4Iee00KUy4B+YKx Uu+GVx9lqkGablS3wmUPxnhGzDErwPhAafH1qXz5la1//U0JmyMNqM5L9QhNZXJ0 w1FQu4NJHAAbSm0GWCJPTHO+/PN9djd5mkWuu8+1p1b8xU4SCqB82Kjh7TIB1MMm eOdbqFTN4H/+HPR55mHUTs5Hi34776GL4HRq2Nhz6h2OK7aLe9jiADnJtp192076 koi2s1u+bB/b05vhQVu7SlkV1T73Ig== =/AC2 -----END PGP SIGNATURE----- --KTku6E83IiNAwI8fFTSlIMxH5QMdS3WaB-- From owner-freebsd-net@freebsd.org Wed Jul 26 12:32:43 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5F522DBD716 for ; Wed, 26 Jul 2017 12:32:43 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from mailout-02.maxonline.de (mailout-02.maxonline.de [81.24.66.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 18AD61E30 for ; Wed, 26 Jul 2017 12:32:42 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from web03-01.max-it.de (web03-01.max-it.de [81.24.64.215]) by mailout-02.maxonline.de (Postfix) with ESMTPS id 862024B; Wed, 26 Jul 2017 14:32:40 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by web03-01.max-it.de (Postfix) with ESMTP id 75AD528B848; Wed, 26 Jul 2017 14:32:40 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at web03-01.max-it.de Received: from web03-01.max-it.de ([127.0.0.1]) by localhost (web03-01.max-it.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id tZQaLzRzeBdt; Wed, 26 Jul 2017 14:32:40 +0200 (CEST) Received: from [81.24.66.132] (unknown [81.24.66.132]) (Authenticated sender: m.muenz@spam-fetish.org) by web03-01.max-it.de (Postfix) with ESMTPA id 362AA28B847; Wed, 26 Jul 2017 14:32:40 +0200 (CEST) Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru> <860b48aa-b99e-7b71-3724-587ee0a7fe80@spam-fetish.org> <1b831b84-1d3f-38cb-acee-07a339315417@yandex.ru> <0bbf5bb9-8089-f9ce-3b1d-e9bcbdbc6c76@spam-fetish.org> <3a7d5a5b-3b72-4cfe-2d8e-c832f7bfab5c@spam-fetish.org> <2672efbc-49f2-efba-07d6-feeb5c8e3757@yandex.ru> From: "Muenz, Michael" Message-ID: <6bf87e8a-f557-bfab-13ce-dd8accb88299@spam-fetish.org> Date: Wed, 26 Jul 2017 14:33:44 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <2672efbc-49f2-efba-07d6-feeb5c8e3757@yandex.ru> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2017 12:32:43 -0000 Am 26.07.2017 um 12:20 schrieb Andrey V. Elsukov: > On 26.07.2017 12:47, Muenz, Michael wrote: >> When I type setkey -PD I get: >> >> 10.24.66.0/24[any] 10.26.1.0/24[any] any >> in ipsec >> esp/tunnel/81.24.74.3-213.244.192.191/unique:2 >> created: Jul 26 11:03:53 2017 lastused: Jul 26 11:40:02 2017 >> lifetime: 9223372036854775807(s) validtime: 0(s) >> spid=5 seq=1 pid=4292 >> refcnt=1 >> 10.26.1.0/24[any] 10.24.66.0/24[any] any >> out ipsec >> esp/tunnel/213.244.192.191-81.24.74.3/unique:2 >> created: Jul 26 11:03:53 2017 lastused: Jul 26 11:40:02 2017 >> lifetime: 9223372036854775807(s) validtime: 0(s) >> spid=6 seq=0 pid=4292 >> refcnt=1 >> >> >> So it's in use. >> >> But when I type in your command it just "hangs". Not the system, but the >> command doesn't get completed. >> >> root@PB-FW1-FRA:~ # setkey -v -c spdadd -4 10.26.2.0/24 10.24.66.0/24 >> any -P out ipsec esp/tunnel/213.244.192.191-81.24.74.3/require ; >> > You need to do it this way: > 1. setkey -v -c > 2. type the policy specification > 3. press Enter and then press ^D > > > # setkey -v -c > spdadd -4 10.26.2.0/24 10.24.66.0/24 any -P out ipsec > esp/tunnel/213.244.192.191-81.24.74.3/unique:2 ; > ^D > > Also, since your policies uses "unique" level, you need to specify the > same level using "unique:N" syntax. > > Also if it is interesting to you, I patched ipfw_nat to be able specify > needed direction. The patch is untested at all :) > https://people.freebsd.org/~ae/nat_in_out.diff > > You need to rebuild ipfw(4) and ipfw_nat(4) kernel modules, and also > ipfw(8) binary. > > With this patch you can use the following commands: > > ipfw nat 1 config ip 10.26.1.1 log > ipfw add 179 nat-out 1 all from 10.26.2.0/24 to 10.24.66.0/24 in recv vtnet1 > ipfw add 179 nat-in 1 all from 10.24.66.0/24 to 10.26.1.1 in recv enc0 > > or these: > ipfw nat 1 config ip 10.26.1.1 log reverse > ipfw add 179 nat-in 1 all from 10.26.2.0/24 to 10.24.66.0/24 in recv vtnet1 > ipfw add 179 nat-out 1 all from 10.24.66.0/24 to 10.26.1.1 in recv enc0 > > Or maybe guys from OpenSense can help with testing. > You are a genius! Many thanks for you patience with me! Now I have a running setup and it also works with unpatched OPNsense kernel: kldload ipfw_nat ipfw nat 1 config ip 10.26.1.1 log ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 out xmit enc0 ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0 setkey -PD | grep unique setkey -v -c spdadd -4 10.26.2.0/24 10.24.66.0/24 any -P out ipsec esp/tunnel/213.244.192.191-81.24.74.3/unique:X ; ^D Thats all! I got it running, did a reboot and then it failed everytime until I saw the number after unique changes. How is this number calculated? I need this for templating the script. Thanks for you help, you made my day/week/month/year :) Michael From owner-freebsd-net@freebsd.org Wed Jul 26 13:12:01 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1F2C4DBDD7F for ; Wed, 26 Jul 2017 13:12:01 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward5h.cmail.yandex.net (forward5h.cmail.yandex.net [IPv6:2a02:6b8:0:f35::15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A2A5C2CD6 for ; Wed, 26 Jul 2017 13:12:00 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp2p.mail.yandex.net (smtp2p.mail.yandex.net [77.88.29.85]) by forward5h.cmail.yandex.net (Yandex) with ESMTP id B8EAE21081; Wed, 26 Jul 2017 16:11:47 +0300 (MSK) Received: from smtp2p.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtp2p.mail.yandex.net (Yandex) with ESMTP id CDAD21A8003F; Wed, 26 Jul 2017 16:11:46 +0300 (MSK) Received: by smtp2p.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id 2PYTrMMsPk-BjA0P3lZ; Wed, 26 Jul 2017 16:11:45 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1501074705; bh=MIj4Z5nypimODUbqviv0q74k5uCF/v3mAF2lySchxIM=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=gOV6edu+gDNSeuGfgvVUOPwk+JMYMn97YvUuQpzazrStHbdlm8hg4NzqZAh4iH/uZ 1aV9fVgyP2sy9jQg8NcxUo8cclMeRXUrN2SXZtfbY7yeV9N4DgPrd4URgK+jcslANY Ul+MWOBQcFtIwsHaAZ0ESCs3t3xTRvWAPea5ySQ8= Authentication-Results: smtp2p.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0 Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: "Muenz, Michael" , freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru> <860b48aa-b99e-7b71-3724-587ee0a7fe80@spam-fetish.org> <1b831b84-1d3f-38cb-acee-07a339315417@yandex.ru> <0bbf5bb9-8089-f9ce-3b1d-e9bcbdbc6c76@spam-fetish.org> <3a7d5a5b-3b72-4cfe-2d8e-c832f7bfab5c@spam-fetish.org> <2672efbc-49f2-efba-07d6-feeb5c8e3757@yandex.ru> <6bf87e8a-f557-bfab-13ce-dd8accb88299@spam-fetish.org> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: Date: Wed, 26 Jul 2017 16:09:01 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1 MIME-Version: 1.0 In-Reply-To: <6bf87e8a-f557-bfab-13ce-dd8accb88299@spam-fetish.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="e3eqh6mHFewD13cX4UN7Xs3MEddishST1" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2017 13:12:01 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --e3eqh6mHFewD13cX4UN7Xs3MEddishST1 Content-Type: multipart/mixed; boundary="uTapxJMCHAahDDn10MJrd4n0xJGONLF7k"; protected-headers="v1" From: "Andrey V. Elsukov" To: "Muenz, Michael" , freebsd-net@freebsd.org Message-ID: Subject: Re: NAT before IPSEC - reply packets stuck at enc0 References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru> <860b48aa-b99e-7b71-3724-587ee0a7fe80@spam-fetish.org> <1b831b84-1d3f-38cb-acee-07a339315417@yandex.ru> <0bbf5bb9-8089-f9ce-3b1d-e9bcbdbc6c76@spam-fetish.org> <3a7d5a5b-3b72-4cfe-2d8e-c832f7bfab5c@spam-fetish.org> <2672efbc-49f2-efba-07d6-feeb5c8e3757@yandex.ru> <6bf87e8a-f557-bfab-13ce-dd8accb88299@spam-fetish.org> In-Reply-To: <6bf87e8a-f557-bfab-13ce-dd8accb88299@spam-fetish.org> --uTapxJMCHAahDDn10MJrd4n0xJGONLF7k Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 26.07.2017 15:33, Muenz, Michael wrote: >> Also, since your policies uses "unique" level, you need to specify the= >> same level using "unique:N" syntax. >> >> Also if it is interesting to you, I patched ipfw_nat to be able specif= y >> needed direction. The patch is untested at all :) >> https://people.freebsd.org/~ae/nat_in_out.diff >> >> You need to rebuild ipfw(4) and ipfw_nat(4) kernel modules, and also >> ipfw(8) binary. >> >=20 > You are a genius! Many thanks for you patience with me! Now I have a > running setup and it also works with unpatched OPNsense kernel: >=20 > kldload ipfw_nat > ipfw nat 1 config ip 10.26.1.1 log > ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 out xmit = enc0 > ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0= >=20 > setkey -PD | grep unique > setkey -v -c > spdadd -4 10.26.2.0/24 10.24.66.0/24 any -P out ipsec > esp/tunnel/213.244.192.191-81.24.74.3/unique:X ; > ^D >=20 > Thats all! I got it running, did a reboot and then it failed everytime > until I saw the number after unique changes. >=20 > How is this number calculated? I need this for templating the script. This number is chosen by strongswan. It would be better to know how to configure it to specify both prefixes. You also can set 10.26.0.0/22 prefix somewhere in leftsubnet, and then filter 10.26.1.0/24 and 10.26.3.0/24 using firewall. I think then strongswan will generate policy that will route all needed traffic into tunnel. And no manual post-configuration will be needed. --=20 WBR, Andrey V. Elsukov --uTapxJMCHAahDDn10MJrd4n0xJGONLF7k-- --e3eqh6mHFewD13cX4UN7Xs3MEddishST1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAll4lG0ACgkQAcXqBBDI oXqNugf/QAHR/rAuo1f9gjszzae1Bk6CBCmhJYUQlafOEASv4ru7z4szJIFey8JU 7bE10nV1olDmAwpZtBFTx1TnLJHewf2c0+8xLnlq2c8XGy76lkC0I8Ez8ghG2VxC KUnCa059Vhq0f0hm1V9DyBQmPT0fxVEoN2lyKg8dQ7scLL1t/vYw6dZyfMCCB/l3 3IO5ousB1qwbWjk6h5P1T3T7kbKgNz2NXY9XV7q5/eZSE5ROCHTnDqwl/FcxRKTq FYq2e9hSTtVr0XQ4g84l/pagBCgRr7OwqCfVTJ6CQvHMSoPvoX589if+Is+dNqRn Mp6DzD6a0vgI7YgOAzCdxDbKSLKw1Q== =6/DF -----END PGP SIGNATURE----- --e3eqh6mHFewD13cX4UN7Xs3MEddishST1-- From owner-freebsd-net@freebsd.org Wed Jul 26 15:12:54 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6DCACDC01B9 for ; Wed, 26 Jul 2017 15:12:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 516E26627E for ; Wed, 26 Jul 2017 15:12:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6QFCrs8041176 for ; Wed, 26 Jul 2017 15:12:54 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 220980] [panic] panic when destroying vlan interface with traffic Date: Wed, 26 Jul 2017 15:12:54 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-RELEASE X-Bugzilla-Keywords: crash, needs-qa X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: mjoras@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: mjoras@freebsd.org X-Bugzilla-Flags: mfc-stable10? mfc-stable11? X-Bugzilla-Changed-Fields: bug_status assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2017 15:12:54 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220980 Matt Joras changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Open |In Progress Assignee|freebsd-net@FreeBSD.org |mjoras@freebsd.org --- Comment #5 from Matt Joras --- Thanks Harry! I appreciate the note and your running the patch :). --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-net@freebsd.org Wed Jul 26 15:14:18 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9A411DC0275 for ; Wed, 26 Jul 2017 15:14:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 88D096637A for ; Wed, 26 Jul 2017 15:14:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6QFEIHY043116 for ; Wed, 26 Jul 2017 15:14:18 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 198580] Kernel panic when destroying VLANs with traffic Date: Wed, 26 Jul 2017 15:14:18 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: mjoras@freebsd.org X-Bugzilla-Status: Closed X-Bugzilla-Resolution: DUPLICATE X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-net@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status cc resolution Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2017 15:14:18 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D198580 Matt Joras changed: What |Removed |Added ---------------------------------------------------------------------------- Status|New |Closed CC| |mjoras@freebsd.org Resolution|--- |DUPLICATE --- Comment #1 from Matt Joras --- The VLAN-relevant parts of these panics should be fixed by bug 220980. *** This bug has been marked as a duplicate of bug 220980 *** --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-net@freebsd.org Thu Jul 27 01:24:26 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 866D0DB6697 for ; Thu, 27 Jul 2017 01:24:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 74C552B9 for ; Thu, 27 Jul 2017 01:24:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6R1OQNB086038 for ; Thu, 27 Jul 2017 01:24:26 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 218005] sys/netinet/sctp_pcb.c: PVS-Studio: Unreachable code detected (CWE-561) Date: Thu, 27 Jul 2017 01:24:26 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: emaste@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-net@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jul 2017 01:24:26 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D218005 Ed Maste changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |emaste@freebsd.org --- Comment #2 from Ed Maste --- I agree with leaving the code as is. Svyatoslav is there an easy way that pvs-studio would be convinced this is a false positive? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-net@freebsd.org Thu Jul 27 01:34:27 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 616E2DB728B for ; Thu, 27 Jul 2017 01:34:27 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4E0E9E81 for ; Thu, 27 Jul 2017 01:34:27 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6R1YR8f008574 for ; Thu, 27 Jul 2017 01:34:27 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 217920] [PATCH] ipfilter discard bytes - 3072 instead of 1024 Date: Thu, 27 Jul 2017 01:34:27 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: emaste@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: delphij@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc bug_status assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jul 2017 01:34:27 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217920 Ed Maste changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |emaste@freebsd.org Status|New |In Progress Assignee|freebsd-net@FreeBSD.org |delphij@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-net@freebsd.org Thu Jul 27 01:36:44 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A4913DB758A for ; Thu, 27 Jul 2017 01:36:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 91A681188 for ; Thu, 27 Jul 2017 01:36:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6R1ahSh011783 for ; Thu, 27 Jul 2017 01:36:44 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 217920] [PATCH] ipfilter discard bytes - 3072 instead of 1024 Date: Thu, 27 Jul 2017 01:36:44 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: emaste@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-net@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jul 2017 01:36:44 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217920 Ed Maste changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-bugs@FreeBSD.org |freebsd-net@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-net@freebsd.org Thu Jul 27 01:40:21 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DD3F9DB79AB for ; Thu, 27 Jul 2017 01:40:21 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CAFA91576 for ; Thu, 27 Jul 2017 01:40:21 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6R1eLVR017103 for ; Thu, 27 Jul 2017 01:40:21 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 217782] sys/dev/bhnd/cores/pmu/bhnd_pmu_subr.c: PVS-Studio: Assignment to Variable without Use (CWE-563) (3) Date: Thu, 27 Jul 2017 01:40:22 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: emaste@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-net@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc bug_status Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jul 2017 01:40:22 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217782 Ed Maste changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |emaste@freebsd.org Status|New |In Progress --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-net@freebsd.org Thu Jul 27 06:20:17 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7310EDC2FA4 for ; Thu, 27 Jul 2017 06:20:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6169B68EBC for ; Thu, 27 Jul 2017 06:20:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6R6KGbN090488 for ; Thu, 27 Jul 2017 06:20:17 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 217920] [PATCH] ipfilter discard bytes - 3072 instead of 1024 Date: Thu, 27 Jul 2017 06:20:17 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: cy@FreeBSD.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: cy@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jul 2017 06:20:17 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217920 Cy Schubert changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-net@FreeBSD.org |cy@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-net@freebsd.org Thu Jul 27 13:07:45 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 14E40DCACD0; Thu, 27 Jul 2017 13:07:45 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C9AF275AA2; Thu, 27 Jul 2017 13:07:44 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 144BA25D3A02; Thu, 27 Jul 2017 13:07:35 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 2ECF7D1F8C6; Thu, 27 Jul 2017 13:07:35 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id bl3IRUYp2U4s; Thu, 27 Jul 2017 13:07:34 +0000 (UTC) Received: from [192.168.2.110] (unknown [IPv6:fde9:577b:c1a9:31:2ef0:eeff:fe03:ee34]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 16F00D1F8B5; Thu, 27 Jul 2017 13:07:34 +0000 (UTC) From: "Bjoern A. Zeeb" To: "FreeBSD Net" , freebsd-transport@freebsd.org Subject: Re: Remove flowtable from HEAD Date: Thu, 27 Jul 2017 13:07:32 +0000 Message-ID: In-Reply-To: <7D1D07E3-B3B7-49FB-842D-0CD952EE6DEE@lists.zabbadoz.net> References: <7D1D07E3-B3B7-49FB-842D-0CD952EE6DEE@lists.zabbadoz.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6088) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jul 2017 13:07:45 -0000 On 10 Jul 2017, at 14:25, Bjoern A. Zeeb wrote: > Hi, > > I have a review pending to remove flowtable from head. Now is the > time to speak up if, after the inpcb caching went in a while ago, you > still have a good reason for it to stay in the tree. > > Also review would be highly appreciated :) > https://reviews.freebsd.org/D11448 And there was silence for more than 2 weeks after talking about this for ages, so it’s gone: https://svnweb.freebsd.org/changeset/base/321618 /bz From owner-freebsd-net@freebsd.org Thu Jul 27 19:29:45 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D59FDDAE284 for ; Thu, 27 Jul 2017 19:29:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C33DA2DC6 for ; Thu, 27 Jul 2017 19:29:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6RJThnn064129 for ; Thu, 27 Jul 2017 19:29:45 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 186114] net/mpd5 hangs after a certain number of users connect Date: Thu, 27 Jul 2017 19:29:43 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: crash, needs-qa X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: peixoto.cassiano@gmail.com X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: eugen@freebsd.org X-Bugzilla-Flags: maintainer-feedback+ X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jul 2017 19:29:45 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D186114 --- Comment #125 from Cassiano Peixoto --- (In reply to Eugene Grosbein from comment #124) Hi Eugene, Just one question, how about libthread patch? Is it has been merged as well? Take a look on comment #53: https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D183536&action=3Dedit --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-net@freebsd.org Fri Jul 28 02:10:28 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C2B58DB68A1 for ; Fri, 28 Jul 2017 02:10:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B08016E215 for ; Fri, 28 Jul 2017 02:10:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6S2AOvY047661 for ; Fri, 28 Jul 2017 02:10:28 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 186114] net/mpd5 hangs after a certain number of users connect Date: Fri, 28 Jul 2017 02:10:24 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: crash, needs-qa X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: eugen@freebsd.org X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: eugen@freebsd.org X-Bugzilla-Flags: maintainer-feedback+ X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2017 02:10:28 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D186114 --- Comment #126 from Eugene Grosbein --- (In reply to Cassiano Peixoto from comment #125) It is not needed to fix things. It was produced to discover roots of the problem only. --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-net@freebsd.org Fri Jul 28 15:00:20 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0A775DC7CF3 for ; Fri, 28 Jul 2017 15:00:20 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ECCC4641A6 for ; Fri, 28 Jul 2017 15:00:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6SF0FjN065381 for ; Fri, 28 Jul 2017 15:00:19 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 186114] net/mpd5 hangs after a certain number of users connect Date: Fri, 28 Jul 2017 15:00:15 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: crash, needs-qa X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: bugzilla.freebsd@omnilan.de X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: eugen@freebsd.org X-Bugzilla-Flags: maintainer-feedback+ X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2017 15:00:20 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D186114 Harald Schmalzbauer changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bugzilla.freebsd@omnilan.de --- Comment #127 from Harald Schmalzbauer --- (In reply to Eugene Grosbein from comment #124) Big thanks to all who stood strong and solved that! And thanks to the conclusion by Eugene, which I partly quote here: The problem of mpd5 daemon hanging is now fixed with following changes: 1. libc/syslog "cancel-safe" fix merged to stable/11 and stable/10 (to appe= ar in upcoming 10.4-RELEASE and 11.1-RELEASE). 2. Multiple libc/stdio "cancel-safe" fixes merged to stable/11 and stable/10 (to appear in upcoming 10.4-RELEASE and 11.1-RELEASE). I guess 1) was r320472 I guess 2) were r320508 and r320509 These three were merged to stable/11 in r320942 at 2017-07-13 and stable/10 in r321074 at 017-07-17 So the fixes have NOT made it into 11.1-RELEASE! But 10.4 should have them, since I can't see releng/10.4 yet. Just for the records, in case one want's to know what to expect from 11.1. -harry --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-net@freebsd.org Fri Jul 28 16:10:10 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5D87FDC94BA for ; Fri, 28 Jul 2017 16:10:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4896D668C3 for ; Fri, 28 Jul 2017 16:10:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6SGA92C088841 for ; Fri, 28 Jul 2017 16:10:10 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 220860] Double loading of the if_bridge module causes panic Date: Fri, 28 Jul 2017 16:10:10 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 11.0-STABLE X-Bugzilla-Keywords: crash, needs-qa X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: marieheleneka@gmail.com X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-net@FreeBSD.org X-Bugzilla-Flags: mfc-stable10? mfc-stable11? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2017 16:10:10 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220860 --- Comment #3 from Marie Helene Kvello-Aune --- I've looked at this problem for about a month and then it kind of rotted on= my shelf because busy IRL. But here's the underlying problems I found which in combination causes this issue: 1) Build system installs kernel modules even if they're built into kernel=20 2) boot loader doesn't (successfully) check if module exists in kernel and loads it regardless, as long as it's instructed to do so. "kldload" properly checks if the module already exists in the kernel and correctly refuses to load the module. I didn't test all boot loaders but the second problem at least happens with= the GPT ZFS loader. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-net@freebsd.org Fri Jul 28 17:31:33 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 019CEDCAB41 for ; Fri, 28 Jul 2017 17:31:32 +0000 (UTC) (envelope-from daemon-user@freebsd.org) Received: from reviews.nyi.freebsd.org (reviews.nyi.freebsd.org [IPv6:2610:1c1:1:607c::16:b]) by mx1.freebsd.org (Postfix) with ESMTP id C5970695BF for ; Fri, 28 Jul 2017 17:31:32 +0000 (UTC) (envelope-from daemon-user@freebsd.org) Received: by reviews.nyi.freebsd.org (Postfix, from userid 1346) id 322ED55D90; Fri, 28 Jul 2017 17:31:32 +0000 (UTC) Date: Fri, 28 Jul 2017 17:31:32 +0000 To: freebsd-net@freebsd.org From: "sbahra_repnop.org (Samy Al Bahra)" Reply-to: D8637+325+4a3b3c6133fb39c2@reviews.freebsd.org Subject: [Differential] D8637: buf_ring.h: fix memory order issues. Message-ID: X-Priority: 3 X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: Thread-Topic: D8637: buf_ring.h: fix memory order issues. X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: Precedence: bulk In-Reply-To: References: Thread-Index: MTU4NzczNmYxMjUyY2VhODkxYTIyZGM3NmJiIFl7dPQ= MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2017 17:31:33 -0000 c2JhaHJhX3JlcG5vcC5vcmcgcmVzaWduZWQgZnJvbSB0aGlzIHJldmlzaW9uLgoKUkVWSVNJT04g REVUQUlMCiAgaHR0cHM6Ly9yZXZpZXdzLmZyZWVic2Qub3JnL0Q4NjM3CgpFTUFJTCBQUkVGRVJF TkNFUwogIGh0dHBzOi8vcmV2aWV3cy5mcmVlYnNkLm9yZy9zZXR0aW5ncy9wYW5lbC9lbWFpbHBy ZWZlcmVuY2VzLwoKVG86IG9sZWcsIGttYWN5LCBraWIsIGFsYywgc2JhaHJhX3JlcG5vcC5vcmcK Q2M6IGVtYXN0ZSwgZnJlZWJzZC1uZXQtbGlzdAo= From owner-freebsd-net@freebsd.org Fri Jul 28 18:11:14 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 612F0DCB438 for ; Fri, 28 Jul 2017 18:11:14 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 3C29C6A858 for ; Fri, 28 Jul 2017 18:11:14 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: by mailman.ysv.freebsd.org (Postfix) id 3B820DCB437; Fri, 28 Jul 2017 18:11:14 +0000 (UTC) Delivered-To: net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3B25DDCB436 for ; Fri, 28 Jul 2017 18:11:14 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-pf0-x231.google.com (mail-pf0-x231.google.com [IPv6:2607:f8b0:400e:c00::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0DCE36A856 for ; Fri, 28 Jul 2017 18:11:14 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: by mail-pf0-x231.google.com with SMTP id q85so98544124pfq.1 for ; Fri, 28 Jul 2017 11:11:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=ZK+OPI6010Re7N2w+HHmIn2+LQAPKuQSD6Qm/zqU1Hs=; b=awu82u47LdYBdWoTiwkAhX7UIrpsi/JWRm0qM9PugDG2RKyUW7Ne6FFa59Z4LkmSGp 1Xy6RpF6Y8R4lCGAZqByTTc4exxnqnMshbKAUzLHB1GWsThAtJdf6fFdvRNUqLEVP51X SnGxZhOPV43k/P6aAatLo2HZpy2PY+yfCxZBncSoPXomAPGgDSdLR3fLoGJGXIIG/0kM Qudhl42TugLO706uXa4sN/E47+9h+nWPfnBGLQTLbzlYFuHDHn8EENQ7R+uOl/JDd/zE n+UpgdOEwsMZRJdnVfN4Z4ApyJiT1FJd+bahqkaac3pvsw91bkijwJ/N6RZySrZjQbZ1 cLJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=ZK+OPI6010Re7N2w+HHmIn2+LQAPKuQSD6Qm/zqU1Hs=; b=AyYziJ/ZgJvjNr/Zs4SeYIcLtlyF3s/VKrilkX6whqqLbx5ElsUz1HDCdaqMpohUUe vSRj9aSW0tdbqW0piiw2Rin1j+yTS0Vqp+Vi2tqWke714xVlZIbMtrDKfvvAqqnfiRkb GjZ9ufgg/ls2yUX8GyIR9/8ix9iFIajZt3ezbPfgtxYYdL6M8zCNQEGpa/AKrx4b3aR0 GMk5OqjXrKvKuFe+CM+IM+VHYqFqZfc232W6pHIqVapgrgufHTg7r2J1jwujrqcf1h8Q CNUsUp7rrfcDqgAnp229gRWpiX+hae+8h6pgmVN1frtmi3uZOKoNWgkvFC89SESFY0le qBWQ== X-Gm-Message-State: AIVw111uK7csdwA/3oVJ+95BU9a1v9ooZmm54lHugp1N7RPvaO3U7SxK Rn5qEiyE2Z0eZFG0YVgcaGMLYi8Rw8lG X-Received: by 10.84.129.13 with SMTP id 13mr8653942plb.408.1501265473276; Fri, 28 Jul 2017 11:11:13 -0700 (PDT) MIME-Version: 1.0 Sender: kob6558@gmail.com Received: by 10.100.165.42 with HTTP; Fri, 28 Jul 2017 11:11:12 -0700 (PDT) From: Kevin Oberman Date: Fri, 28 Jul 2017 11:11:12 -0700 X-Google-Sender-Auth: dEwNgNkS6qFvtsLpduNTBYriQns Message-ID: Subject: Enable 802.11 debug at boot To: FreeBSD Net , Adrian Chadd Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2017 18:11:14 -0000 I am having evere issues with bringing up my network card. I had previously had this and a patch to a locking issued mostly fixed it. (It still popped up now and ten, but moved from "problem" to "annoyance".) Now it is again a problem. System is a Lenovo T520 ThinkPad running 1-STABLE with an Intel WiFi card: iwn0@pci0:3:0:0: class=0x028000 card=0x13118086 chip=0x00858086 rev=0x34$ vendor = 'Intel Corporation' device = 'Centrino Advanced-N 6205 [Taylor Peak]' class = network When the card is brought up at boot time, it has a very hard time getting a connection. It could take over a minute to connect, but the system kept reporting that the card had transitioned from DOWN to UP and DHCP would fire up. After one or two cases of the card showing hung and a firmware reload, it would make a connection and things would be fine. Since about hte start of the 11.1 release cycle, it has gotten much worse and some really odd behavior has appeared. It often seems to fail to scan properly and connects to a neighbor's Xfinity (Comcast) service (very weak signal and low priority in the wpa_supplicant config file) instead of my AP. If I run "ifconfig wlan0 list scan", I don't even see my AP. If I restart, I go through the same connection dance and my eventually connect to my AP. A "list scan" usually does not show any Xfinity SSID. Weird. It now get really weird. I try to re-scan for APs with "ifconig wlan0 scan". It used to take a few seconds to scan before reporting the list of APs, but now comes back instantly, always with an identical list of APs. It never changes. It looks like scan is a no-op. Waiting for background scan to run also never seems to show any change in the list of available APs. Not even slight changes is S/N ratio. My kernel has IWN_DEBUG and IEEE80211_DEBUG, but I am not sure how to get debug enabled at boot. sysctl.conf takes care of dev.iwn.0.debug, but I'm not sure how to do "wlandebug +assoc +auth +state +rate" at boot. Do I need to write a little rc.d script to run after /usr is mounted and before the network starts? Of is there a better way? Thanks! -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 From owner-freebsd-net@freebsd.org Fri Jul 28 18:22:50 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C4773DCBC15 for ; Fri, 28 Jul 2017 18:22:50 +0000 (UTC) (envelope-from karl@denninger.net) Received: from colo1.denninger.net (colo1.denninger.net [67.205.158.196]) by mx1.freebsd.org (Postfix) with ESMTP id 8670D6B4E0 for ; Fri, 28 Jul 2017 18:22:50 +0000 (UTC) (envelope-from karl@denninger.net) Received: from denninger.net (ip68-1-57-197.pn.at.cox.net [68.1.57.197]) by colo1.denninger.net (Postfix) with ESMTP id B38152734C for ; Fri, 28 Jul 2017 14:22:45 -0400 (EDT) Received: from [192.168.10.20] (D10.Denninger.Net [192.168.10.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by denninger.net (Postfix) with ESMTPSA id BAE3F10E35E for ; Fri, 28 Jul 2017 13:22:43 -0500 (CDT) Subject: Re: Enable 802.11 debug at boot To: freebsd-net@freebsd.org References: From: Karl Denninger Message-ID: <7e2635c5-1811-2e6b-50ce-b981271ae9d3@denninger.net> Date: Fri, 28 Jul 2017 13:22:41 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-512; boundary="------------ms010701040107010606030308" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2017 18:22:50 -0000 This is a cryptographically signed message in MIME format. --------------ms010701040107010606030308 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 7/28/2017 13:11, Kevin Oberman wrote: > I am having evere issues with bringing up my network card. I had previo= usly > had this and a patch to a locking issued mostly fixed it. (It still pop= ped > up now and ten, but moved from "problem" to "annoyance".) Now it is aga= in a > problem. > > System is a Lenovo T520 ThinkPad running 1-STABLE with an Intel WiFi ca= rd: > iwn0@pci0:3:0:0: class=3D0x028000 card=3D0x13118086 chip=3D0x008= 58086 > rev=3D0x34$ > vendor =3D 'Intel Corporation' > device =3D 'Centrino Advanced-N 6205 [Taylor Peak]' > class =3D network > > When the card is brought up at boot time, it has a very hard time getti= ng a > connection. It could take over a minute to connect, but the system kept= > reporting that the card had transitioned from DOWN to UP and DHCP would= > fire up. After one or two cases of the card showing hung and a firmware= > reload, it would make a connection and things would be fine. > > Since about hte start of the 11.1 release cycle, it has gotten much wor= se > and some really odd behavior has appeared. It often seems to fail to sc= an > properly and connects to a neighbor's Xfinity (Comcast) service (very w= eak > signal and low priority in the wpa_supplicant config file) instead of m= y > AP. If I run "ifconfig wlan0 list scan", I don't even see my AP. If I > restart, I go through the same connection dance and my eventually conne= ct > to my AP. A "list scan" usually does not show any Xfinity SSID. Weird. > > It now get really weird. I try to re-scan for APs with "ifconig wlan0 > scan". It used to take a few seconds to scan before reporting the list = of > APs, but now comes back instantly, always with an identical list of APs= =2E It > never changes. It looks like scan is a no-op. Waiting for background s= can > to run also never seems to show any change in the list of available APs= =2E > Not even slight changes is S/N ratio. > > My kernel has IWN_DEBUG and IEEE80211_DEBUG, but I am not sure how to g= et > debug enabled at boot. sysctl.conf takes care of dev.iwn.0.debug, but I= 'm > not sure how to do "wlandebug +assoc +auth +state +rate" at boot. Do I = need > to write a little rc.d script to run after /usr is mounted and before t= he > network starts? Of is there a better way? > > Thanks! I am seeing the same behavior with an X220 Thinkpad with (what I believe is) the same Centrino (a/b/g capable) WiFi card. It works /most of the time /eventually, but often will cycle two or three times before it finally comes up. I did not see the problem with 11.0, but with 11.1-RELEASE it is a definite issue. --=20 Karl Denninger karl@denninger.net /The Market Ticker/ /[S/MIME encrypted email preferred]/ --------------ms010701040107010606030308 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC BlwwggZYMIIEQKADAgECAgE9MA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJVUzEQMA4G A1UECBMHRmxvcmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3Rl bXMgTExDMRwwGgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhND dWRhIFN5c3RlbXMgTExDIENBMB4XDTE2MTIxODE5NDUzNVoXDTIxMTIxNzE5NDUzNVowVzEL MAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExGTAXBgNVBAoTEEN1ZGEgU3lzdGVtcyBM TEMxGzAZBgNVBAMUEmthcmxAZGVubmluZ2VyLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQADggIP ADCCAgoCggIBAM2N5maxs7NkoY9g5NMxFWll0TYiO7gXrGZTo3q25ZJgNdPMwrntLz/5ewE9 07TEbwJ3ah/Ep9BfZm7JF9vTtE1HkgKtXNKi0pawNGm1Yn26Dz5AbUr1byby6dFtDJr14E07 trzDCtRRvTkOVSBj6PQPal0fAnDtkIYQBVcuMkXkuMCtyfE95pjm8g4K9l7lAcKii3T1/3rE hCc1o2nBnb7EN1/XwBeCDGB+I2SN/ftZDbKQqGAF5q9dUn+iXU7Z/CVSfUWmhVh6cVZA4Ftv TglUqj410OuPx+cUQch3h1kFgsuhQR63HiJc3HbRJllHsV0rihvL1CjeARQkhnA6uY9NLFST p5I/PfzBzW2MSmtN/tGZvmfKKnmtbfUNgkzbIR1K3lsum+yEL71kB93Xtz/4f1demEx5c8TJ RBIniDHjDeLGK1aoBu8nfnvXAvgthFNTWBOEoR49AHEPjC3kZj0l8JQml1Y8bTQD5gtC5txl klO60WV0EufU7Hy9CmynMuFtjiA2v71pm097rXeCdrAKgisdYeEESB+SFrlY65rLiLv4n8o1 PX7DqRfqKkOYIakZ0ug/yHVKcq2EM3RiJxwzls5gT70CoOBlKbrC98O8TA6teON0Jq30M06t NTI2HhvNbJDLbBH+Awf4h1UKB+0ufENwjVvF5Jfz8Ww/FaSDAgMBAAGjgfQwgfEwNwYIKwYB BQUHAQEEKzApMCcGCCsGAQUFBzABhhtodHRwOi8vY3VkYXN5c3RlbXMubmV0Ojg4ODgwCQYD VR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMCwGCWCGSAGG+EIBDQQf Fh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUpfAI3y+751pp9A0w 6vJHx8RoR/MwHwYDVR0jBBgwFoAUJHGbnYV9/N3dvbDKkpQDofrTbTUwHQYDVR0RBBYwFIES a2FybEBkZW5uaW5nZXIubmV0MA0GCSqGSIb3DQEBCwUAA4ICAQBiB6MlugxYJdccD8boZ/u8 d8VxmLkJCtbfyYHRjYdyoABLW5hE3k3xSpYCM9L7vzWyV/UWwDYKi4ZzxHo4g+jG/GQZfKhx v38BQjL2G9xD0Hn2d+cygOq3UPjVYlbbfQoew6JbyCFXrrZ7/0jvRMLAN2+bRC7ynaFUixPH Whnj9JSH7ieYdzak8KN+G2coIC2t2iyfXVKehzi5gdNQ0vJ7+ypbGsRm4gE8Mdo9N/WgFPvZ HPFqR9Dwas7Z+aHwOabpk5r/336SyjOaZsn3MqKJQZL6GqDKusVOCWt+9uFAD8kadg7FetZe atIoD9I+zbp59oVoMnkMDMx7Hi85faU03csusqMGsjSsAzWSI1N8PJytZlchLiykokLKc3OL G87QKlErotlou7cfPX2BbEAH5wmkj9oiqZhxIL/wwAUA+PkiTbEmksKBNompSjUq/6UsR8EA s74gnu17lmijv8mrg2qMlwRirE7qG8pnE8egLtCDxcjd0Of9WMi2NJskn0/ovC7P+J60Napl m3ZIgPJst1piYSE0Zc1FIat4fFphMfK5v4iLblo1tFSlkdx1UNDGdg/U+LaXkNVXlMp8fyPm R80V6cIrCAlEWnBJNxG1UyfbbsvNMCCZBM4faGGsR/hhQOiydlruxhjL6P8J2WV8p11DdeGx KymWoil2s1J5WTGCBRMwggUPAgEBMIGWMIGQMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHRmxv cmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3RlbXMgTExDMRww GgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhNDdWRhIFN5c3Rl bXMgTExDIENBAgE9MA0GCWCGSAFlAwQCAwUAoIICTTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN AQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA3MjgxODIyNDFaME8GCSqGSIb3DQEJBDFCBEDsaXII rEvgJfo9ILqQOJpPw88YjlMj1A+Ut8+64I562BRqpF/lTx6p4xirtdX3qsniS7FGfGg80L5X AxJW38WrMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggq hkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI hvcNAwICASgwgacGCSsGAQQBgjcQBDGBmTCBljCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgT B0Zsb3JpZGExEjAQBgNVBAcTCU5pY2V2aWxsZTEZMBcGA1UEChMQQ3VkYSBTeXN0ZW1zIExM QzEcMBoGA1UEAxMTQ3VkYSBTeXN0ZW1zIExMQyBDQTEiMCAGCSqGSIb3DQEJARYTQ3VkYSBT eXN0ZW1zIExMQyBDQQIBPTCBqQYLKoZIhvcNAQkQAgsxgZmggZYwgZAxCzAJBgNVBAYTAlVT MRAwDgYDVQQIEwdGbG9yaWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoTEEN1ZGEg U3lzdGVtcyBMTEMxHDAaBgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExIjAgBgkqhkiG9w0B CQEWE0N1ZGEgU3lzdGVtcyBMTEMgQ0ECAT0wDQYJKoZIhvcNAQEBBQAEggIAVNXmTfUCF4+W nhLqQg3CujS6lGzM1IanoJNZ3XweIHE6Dc8zknEUnbBjITW+a+uy2mGqUG88JyHauuvhAFlp EzBe5VkVeaa2TR/lVyMnpO2QHulU0KfrdCIHaFFNp3tMp6qa01w/MFmoaWeEZYgj0LczYNJG 9WKT/9PUUxju9J7my24k2iF48qpD41JFEO4r4fhreTCAkp0OM/7ozTvWQYTOege73xBgsrXY is+V9GFZuuaX90LOoI5lRH2LsQAzG/4nDCuG9XuXM21Nugd5KBphJVM45nlqqKSIdNlLs34p o9D2Je+E38/lWhO2kQUhSBHVp7gu/n+RRVOz5wV+H+9nOmL2kgtHrCpu/pMKZt2Ul4xBIppJ 8w2VRvyYEcKVnKJsL91c0lbpcMzXoCwC42CCiTTiiDfgbfTNa7Fl5WJOGDq3JsRsKKvISjUX 730ucGX9AEKguN3L/mW8QhfO+H+5Bbhq4IGwj04HBpOhW0qWA/3Wch9zVOxUY8mrHKkkL3HS PGDEuJAcrP8ewcFRL/UDcRm2fVHrPCL75wWOSYk/wOWSPsvtNpMRxe2ke+mciebsguJYRj2U UBLe0em7GrEwvGuI34Bx3RzAYcJZ1/RPdRdW+wM8m6uhoY63qaXj4oaTLT5qAetf+mnF8dPm lS0qVip8gfgWkjsBiuRQZz4AAAAAAAA= --------------ms010701040107010606030308-- From owner-freebsd-net@freebsd.org Sat Jul 29 07:18:35 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4801EDBC7C3 for ; Sat, 29 Jul 2017 07:18:35 +0000 (UTC) (envelope-from guru@unixarea.de) Received: from ms-10.1blu.de (ms-10.1blu.de [178.254.4.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 013322BC1 for ; Sat, 29 Jul 2017 07:18:34 +0000 (UTC) (envelope-from guru@unixarea.de) Received: from [88.217.98.32] (helo=localhost.unixarea.de) by ms-10.1blu.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.86_2) (envelope-from ) id 1dbM19-0007co-6P for freebsd-net@freebsd.org; Sat, 29 Jul 2017 09:18:31 +0200 Received: from localhost.my.domain (localhost [127.0.0.1]) by localhost.unixarea.de (8.15.2/8.14.9) with ESMTPS id v6T7IUBv012913 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 29 Jul 2017 09:18:30 +0200 (CEST) (envelope-from guru@unixarea.de) Received: (from guru@localhost) by localhost.my.domain (8.15.2/8.14.9/Submit) id v6T7IUHj012912 for freebsd-net@freebsd.org; Sat, 29 Jul 2017 09:18:30 +0200 (CEST) (envelope-from guru@unixarea.de) X-Authentication-Warning: localhost.my.domain: guru set sender to guru@unixarea.de using -f Date: Sat, 29 Jul 2017 09:18:30 +0200 From: Matthias Apitz To: freebsd-net@freebsd.org Subject: Fwd: Re: [vpnc-devel] I need to give the same secret from the RSA token 3 times to login Message-ID: <20170729071830.GA12731@c720-r314251> Reply-To: Matthias Apitz Mail-Followup-To: Matthias Apitz , freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="FCuugMFkClbJLl1L" Content-Disposition: inline X-Operating-System: FreeBSD 12.0-CURRENT r314251 (amd64) X-message-flag: Mails containing HTML will not be read! Please send only plain text. User-Agent: Mutt/1.8.0 (2017-02-23) X-Con-Id: 51246 X-Con-U: 0-guru X-Originating-IP: 88.217.98.32 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jul 2017 07:18:35 -0000 --FCuugMFkClbJLl1L Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I'm forwarding this to freebsd-net@ because it seems that the upstream mailing list vpnc-devel@unix-ag.uni-kl.de is dead. I have modified the vpnc.c source so it prints the RSA code entered by the user; as it is a one time key, this is no security problem: # /usr/ports/security/vpnc/work/vpnc-0.5.3/vpnc Password for VPN xxxxxxx@193.31.xxx.196: RSA token entered was [55526846] Password for VPN xxxxxxx@193.31.xxx.196: RSA token entered was [55526846] Password for VPN xxxxxxx@193.31.xxx.196: RSA token entered was [55526846] Connect Banner: | =3D=3D=3D=3D XXXXXXXX Germany VPN =3D=3D=3D=3D | | Use is restricted to XXXXXXXXXXXXXX authorized users. | Usage and activity may be monitored or recorded and may be subject to aud= iting. | Unauthorized access is strictly prohibited! add host 193.31.xxx.196: gateway 10.42.0.1 =2E.. i.e. after the 3rd same passcode it connects fine. more details be low in the forwarded text. Any ideas? Thanks matthias ----- Forwarded message from Matthias Apitz ----- Date: Fri, 28 Jul 2017 10:06:16 +0200 =46rom: Matthias Apitz To: vpnc-devel@unix-ag.uni-kl.de Cc: ehaupt@FreeBSD.org Subject: Re: [vpnc-devel] I need to give the same secret from the RSA token= 3 times to login (I have copied the MAINTAINER in FreeBSD, I don't know if vpnc is still maintained upstream) Hello, I have additional observations/remarks on this. To generate the 8 digits secret, I'm using a RSA app on my iPhone. I can reproduce the following from my home office and as well when connecte= d over data mobile using my smartphone as an Access Point: 1. I use the app to generate the 8 digits and wait until a fresh one shows = up (to have 60 seconds for the rest of the following procedure) 2. I start the vpn client and enter the 8 digits carefully 3. VPN asks me to re-enter a secret, I do so using the same 8 digits for a = 2nd time 4. VPN asks me to re-enter a secret, I do so and enter the same 8 digits fo= r the 3rd time 5. VPN comes up fine after this This is fully reproducible if someone needs more information. I used the --debug 3 mode of vpnc and this shows an interesting dialog in t= he tons of debug lines: =2E.. DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)Connect Banner: | =3D=3D=3D=3D XXXXXXXXXXXX Germany VPN =3D=3D=3D=3D^M | ^M | Use is restricted to XXXXXXXXXXXX authorized users.^M | Usage and activity may be monitored or recorded and may be subject to aud= iting.^M | Unauthorized access is strictly prohibited! add host 193.31.11.196: gateway 10.42.0.1 delete net 10.49.94.0: gateway 10.49.94.100 fib 0: not in table =2E.. S5.4 xauth type check [2017-07-28 07:37:04] ^M Enter your new PIN, containing 5 chars,^M or^M to cancel the New PIN procedure: <********= ***************************** S5.5 do xauth authentication [2017-07-28 07:37:04] size =3D 40, blksz =3D 8, padding =3D 0 sending: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D> =2E.. S5.4 xauth type check [2017-07-28 07:37:14] ^M Please re-enter new PIN: <*= *********************************** S5.5 do xauth authentication [2017-07-28 07:37:14] size =3D 40, blksz =3D 8, padding =3D 0 sending: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D> =2E.. S5.4 xauth type check [2017-07-28 07:37:25] ^M ^M PIN rejected. Please try again.^M <*******= ********************************* ^M Enter PASSCODE: = <**************************************** S5.5 do xauth authentication [2017-07-28 07:37:25] size =3D 40, blksz =3D 8, padding =3D 0 sending: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D> =2E.. Banner: =3D=3D=3D=3D XXXXXXXXXXXX Germany VPN =3D=3D=3D=3D^M ^M Use is restricted to XXXXXXXXXXXX authorized users.^M Usage and activity may be monitored or recorded and may be subject to audit= ing.^M Unauthorized access is strictly prohibited! got save password setting: 0 got 42 acls for split include acl 0: addr: 192.168.0.0/ 255.255.0.0 (16), protocol: 0, s= port: 0, dport: 0 =2E.. =66rom here all is fine connected; There seems to be some dialog in the authentication procedure which wants m= e to change the PIN, asking for a confirmation of the new PIN and is failing to accept = this new PIN. This would explain why I'm asked three times for some secret: two times for= some PIN and at the end for the 8 RSA digits. Does this ring someones bell? I tested the same with a Windows VPN client. This connects fine after entering the 8 digits the first time. matthias _______________________________________________ vpnc-devel mailing list vpnc-devel@unix-ag.uni-kl.de https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel http://www.unix-ag.uni-kl.de/~massar/vpnc/ ----- End forwarded message ----- --=20 Matthias Apitz, =E2=9C=89 guru@unixarea.de, =E2=8C=82 http://www.unixarea.d= e/ =E2=98=8E +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdi=C3=B3 la Guerra. May 8, 1945: Who does not celebrate lost the War. --FCuugMFkClbJLl1L Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEXmn7rBYYViyzy/vBR8z35Hb+nREFAll8Nr8ACgkQR8z35Hb+ nRHTfw/+OSLlcLOQ62WhCeEhspmi/UdvdvcB63ELeZKlrIwbwRpCIlbzoRq/fPRF h9VZKLipHNUVqR7CiNocc7NYmAUx9vCH1d3lXsSxJrmKNXnrsxjCfHM82Gxr6SGD D2sEVjomx3Y9Ns9fV8azOwAe/gZ33qCmkYE6uxaL5D3nLLPexg1uqQx5VRte/NkI XQ4JUftK1UIotfRgAACgpwHymnMc6eD2RxcxWCZaG006yZAVIJPPZkoocRAFT/lm IOgwpbM4ScCsKHAeOqFCoNrLQtveo629BL0fLTbPU10XKNILf3lGPgLaWqLeCkm5 Uu+Kzd/0nSlM3vM5TMaE0Lr+U/KJ0LfzENqr/MIqyMZI+231ORDaPPmXZRTpRRtB CEKUYIjv16I27tShwhHdcJwMPbKTOZ8AgvFeEh6wjaa2irqmAVqmEVvwG8lTwu2Y PtwI/Bgz8h0o0cFVi/pCaAvE/BprwUBMC/IzZyyV7bX1VnUh+noFm3/zUK3wdL51 AZ939EfvTM9TFnlyjHSWUNGmvU/tSoQAW/dEaO1bovGvxq3nomUa0mH9dOFbTxo8 iDE/kuibi6Ip7rbOmwKgWNKO+/WMbk7pJtdA3ClD27nNaPz//3JoWQF+bjIxo3/9 K1kjucuOmJRtDtM+Q/Wg29oVzszOv7YShhi09AmJogZsfj0zr/k= =JYqx -----END PGP SIGNATURE----- --FCuugMFkClbJLl1L-- From owner-freebsd-net@freebsd.org Sat Jul 29 18:59:56 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B741EDC8E27 for ; Sat, 29 Jul 2017 18:59:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9F3BF7421B for ; Sat, 29 Jul 2017 18:59:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6TIxuUf032860 for ; Sat, 29 Jul 2017 18:59:56 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 212018] Enable IPSEC_NAT_T in GENERIC kernel configuration Date: Sat, 29 Jul 2017 18:59:56 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: feature, needs-patch X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: geezabiscuit2@hotmail.com X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-net@FreeBSD.org X-Bugzilla-Flags: mfc-stable10? mfc-stable11? X-Bugzilla-Changed-Fields: see_also Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jul 2017 18:59:56 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D212018 Darryn Nicol changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.freebsd.org/bu | |gzilla/show_bug.cgi?id=3D2= 210 | |91 --=20 You are receiving this mail because: You are the assignee for the bug.=