From nobody Mon Nov 27 13:23:48 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Sf5rj10Qxz52fJh for ; Mon, 27 Nov 2023 13:23:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Sf5rh4z6mz3HD7 for ; Mon, 27 Nov 2023 13:23:48 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1701091428; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XeOAzjpq+IFhcfIrRcMhrVGCIKhpX5e2DvVxzbOODPs=; b=QV4SpgLqnSh1PNg8KUz30wFK96Q/SsmIqOcOIOUabKS7gRCOpMOOqs35FZw9FxdkwtHfzg N6W81ig+6UG/Xw6sgiozfvcF9eSFV0MKYCrDY70TFa99xaYgwLiLA1G+14YVYKiYTZMZtx FU1P/9Vhvtyo9F0B9wA2bIEhyVe71ELvf3fxLgw9JEY6RcI+T0aTOKjq4Bv+/vNgW4mDS+ NU64YDRA3PKTmC5ihGcFgS0Uijn6UIp6Ggh5VkEuJgJysPJ3w9cv0k/GkgusRwUO2olvPM B+E4x/W74YrWHuUzH6RLx23KUQVJLSsznua5CS3sJtTAflZ3Nypz0LRRJZB3Uw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1701091428; a=rsa-sha256; cv=none; b=NvXI2Thn6HVwi0X2gRkHCvf4J/8P9hc2/Q5i3NIuNrGaSE5/oURpVPhpgEhCMyUuiMVjyp 7Bg/8KQvAPcuk8wdk1eNZsf1HVCDvHofn6z0sxH3bJPjVJ7Me3azot7uxTy17GVJrF5IX9 RAsDYRXf9uctYbPwrLo4I+70t4QwpOI8/StUMJgj4+lB7jELAHgE5gZ18BV9xrmuvc1pJC MHfv+cmxmuR4pyRKZbJLNcDoifr2rjFjfRIjq3rK9Hd8OpkeOiHZFuylqcHAyvBAdSzb2I FSqagCnB8ndjIp+tyyUN1MlcMVbRvkSqvF03gTJP00mkMu35eoqLMsFN+a1h4A== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Sf5rh3mTrzgQc for ; Mon, 27 Nov 2023 13:23:48 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 3ARDNmUO062390 for ; Mon, 27 Nov 2023 13:23:48 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 3ARDNmal062389 for pf@FreeBSD.org; Mon, 27 Nov 2023 13:23:48 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 273198] [14.0 CURRENT] PF recognizes encrypted IPSec traffic as coming from WAN. | NAT with IPsec Phase 2 Networks Date: Mon, 27 Nov 2023 13:23:48 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: 32carleone@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D273198 cArleone <32carleone@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |32carleone@gmail.com --- Comment #1 from cArleone <32carleone@gmail.com> --- Hello, this error persists in FreeBSD-14 RELEASE. I tested it today. The response from Ipsec still seems to be coming from the wan interface. # Since it seems to be coming from the wan, it is blocked by entering my wr= ong rule. block drop in log quick on pppoe_igc1 from any to any tag "wan" ridentifier 100000001 # pflog 100000001]: block in on pppoe_igc1: 32.32.32.32.443 > 192.168.1.233.54146: Flags [S.], seg 1260103609, ack 142834308, win 65535,options [mss 1460, nop, wscale 8, nop, nop, sackoK], length o # my nat rule nat log on enc0 inet from { 192.168.1.0/24 } to { 32.32.32.32/32 } = ->=20 10.200.100.1/32 # swanctl --list-sas ipsec2000: #18, ESTABLISHED, IKEv1, 006cc2d48e260de2_i 768af4a1fdc970bf_r* local '95.95.95.95' @ 95.95.95.8[4500] remote '212.212.212.212' @ 212.212.212.212[4500] AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 established 20485s ago, reauth in 56685s ipsec2001: #23, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA2_256_128 installed 2757s ago, rekeying in 135s, expires in 843s in c2ad555f, 716504 bytes, 535 packets, 14249s ago out c89f82d4, 70100 bytes, 523 packets, 1143s ago local 10.200.100.1/32|192.168.1.0/24 remote 32.32.32.32/32|/0 --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Wed Nov 29 18:04:57 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SgS0B31wBz532xk for ; Wed, 29 Nov 2023 18:04:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SgS0B20PCz4Gwc for ; Wed, 29 Nov 2023 18:04:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1701281098; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZcdweD2KotKWRhX7NvAFGmlXlvnY8Xo764i+a9E70mg=; b=bjKt13CPwMXymU8cIJyTNgDEGP0HItavzVOxpNzx7jzW4qrq/aq8N5sp+V94kqcBUPdA23 Xfk9CykE9sLHte/cITmKPkunC7vmZFN8XLpEYJ7ZypEP5uyog5ybzcNkbez1Yg0LfDLRi4 jYvU+K2ewZKKBlRgVijrK99YXUx8SSH8QScLrLZrTdl9okf8O+KMNZ18WmZtyNNpd+m0R4 p+HMZLAdZA5mlElckxDnVA7wbQTjRkIBnLYRdTpFAHv8YiySyMkZue2QKLsgLHHZqhbnE7 dsMVnoZQJAvwtTzYebqJYHfu/fwDwo9RkMKGoEeln4CRdHRYeS0a8YPkjajGAw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1701281098; a=rsa-sha256; cv=none; b=CSty4OMByKTpNc6WVljPMYK+K3AuFnKZSgxkcSr5n459yf9b8oKQNqcNDuLHsLgoYGDyb4 UPCnZiVVx2kTgG51wxUtXS57RmUFBWmioFC5lHr9Z9INhRU3tlzENPUP51E7eJvGECMNYq p3tIzA+tpZD5qrV2nE6Cm8zsYDzNKaZUohnEHS+DDaffoTUyIly19RKVbLJ6RGPeyyPYDh n+U3y7wwEYDdHgNfsOH/6OT211HP+DgD2J5FqzrA30s2uvmD68WA3LuoE+4ExpYm5VqzWo UEjbKdLE9B6Ld//WDdFmeo3vLiGy/d9CicC+kDRxmjflUPqlzq4VlorZw8ATXg== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SgS0B13LVz1mQ for ; Wed, 29 Nov 2023 18:04:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 3ATI4wxn019211 for ; Wed, 29 Nov 2023 18:04:58 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 3ATI4wn8019210 for pf@FreeBSD.org; Wed, 29 Nov 2023 18:04:58 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 274310] pf leaks memory Date: Wed, 29 Nov 2023 18:04:57 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 15.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: thj@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D274310 --- Comment #1 from commit-hook@FreeBSD.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3D0626d30e41cba64b41667314c3a4f7611= f0eb685 commit 0626d30e41cba64b41667314c3a4f7611f0eb685 Author: Igor Ostapenko AuthorDate: 2023-11-29 12:35:41 +0000 Commit: Kristof Provost CommitDate: 2023-11-29 16:59:28 +0000 pf: fix mem leaks upon vnet destroy Add missing cleanup actions: - remove user defined anchor rulesets - remove user defined ether anchor rulesets - remove tables linked to user defined anchors - deal with wildcard anchor peculiarities to get them removed correctly PR: 274310 Reviewed by: kp MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D42747 sys/netpfil/pf/pf_ioctl.c | 67 ++++++++++++++++++++++++++++++++++++++++++-= ---- 1 file changed, 60 insertions(+), 7 deletions(-) --=20 You are receiving this mail because: You are on the CC list for the bug.=