From owner-freebsd-bugs@FreeBSD.ORG Wed Mar 28 06:10:03 2007 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 934D316A405 for ; Wed, 28 Mar 2007 06:10:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 5925613C4C4 for ; Wed, 28 Mar 2007 06:10:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l2S6A3lm054505 for ; Wed, 28 Mar 2007 06:10:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l2S6A34u054504; Wed, 28 Mar 2007 06:10:03 GMT (envelope-from gnats) Resent-Date: Wed, 28 Mar 2007 06:10:03 GMT Resent-Message-Id: <200703280610.l2S6A34u054504@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Andre Albsmeier Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9025916A400 for ; Wed, 28 Mar 2007 06:08:42 +0000 (UTC) (envelope-from Andre.Albsmeier@siemens.com) Received: from goliath.siemens.de (goliath.siemens.de [192.35.17.28]) by mx1.freebsd.org (Postfix) with ESMTP id 223E613C4B0 for ; Wed, 28 Mar 2007 06:08:41 +0000 (UTC) (envelope-from Andre.Albsmeier@siemens.com) Received: from mail3.siemens.de (localhost [127.0.0.1]) by goliath.siemens.de (8.12.6/8.12.6) with ESMTP id l2S5lF3b015410 for ; Wed, 28 Mar 2007 07:47:15 +0200 Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.40.130]) by mail3.siemens.de (8.12.6/8.12.6) with ESMTP id l2S5lEV8027286 for ; Wed, 28 Mar 2007 07:47:14 +0200 Received: (from localhost) by curry.mchp.siemens.de (8.13.8/8.13.8) id l2S5lEew001272 for FreeBSD-gnats-submit@freebsd.org; Wed, 28 Mar 2007 07:47:14 +0200 (CEST) Message-Id: <200703280547.l2S5lEna008447@curry.mchp.siemens.de> Date: Wed, 28 Mar 2007 07:47:14 +0200 (CEST) From: Andre Albsmeier To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/110959: Filtering incoming packets with enc0 does not work with GIF-based IPSec setups X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Mar 2007 06:10:03 -0000 >Number: 110959 >Category: kern >Synopsis: Filtering incoming packets with enc0 does not work with GIF-based IPSec setups >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Mar 28 06:10:02 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Andre Albsmeier >Release: FreeBSD 6.2-STABLE i386 >Organization: >Environment: System: FreeBSD 6.2-STABLE #0: Tue Mar 20 09:54:57 CET 2007 ... options FAST_IPSEC device pf device pflog device gif device enc device random device crypto ... using a GIF-based IPSec connection and pf. >Description: When using GIF-based IPSec setups it is not possible to filter incoming packets using enc0 in pf. For example, adding a line pass quick log on enc0 all on top of all rules will log only outgoing packets. It does not matter if IPSEC_FILTERGIF has been compiled into the kernel or not. When using standard IPSec setups (without GIF-tunnels) everything works as it should (e.g., the above line will make all packets getting logged). >How-To-Repeat: Set up a GIF-based IPSec connection and pf, add above mentioned line on top of all rules and watch the logs (while sending packets over the link). >Fix: Currently unknown. >Release-Note: >Audit-Trail: >Unformatted: