From owner-freebsd-net@FreeBSD.ORG Tue Jan 24 11:15:01 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BCA8F106566B for ; Tue, 24 Jan 2012 11:15:01 +0000 (UTC) (envelope-from longwitz@incore.de) Received: from mail.incore.de (dss.incore.de [195.145.1.138]) by mx1.freebsd.org (Postfix) with ESMTP id 784568FC13 for ; Tue, 24 Jan 2012 11:15:01 +0000 (UTC) Received: from inetmail.dmz (inetmail.dmz [10.3.0.3]) by mail.incore.de (Postfix) with ESMTP id 929FE5EC58; Tue, 24 Jan 2012 11:57:47 +0100 (CET) X-Virus-Scanned: amavisd-new at incore.de Received: from mail.incore.de ([10.3.0.3]) by inetmail.dmz (inetmail.dmz [10.3.0.3]) (amavisd-new, port 10024) with LMTP id YPfIMTYwDkLl; Tue, 24 Jan 2012 11:57:46 +0100 (CET) Received: from mail.incore (fwintern.dmz [10.0.0.253]) by mail.incore.de (Postfix) with ESMTP id D45F45EC56; Tue, 24 Jan 2012 11:57:46 +0100 (CET) Received: from bsdlo.incore (bsdlo.incore [192.168.0.84]) by mail.incore (Postfix) with ESMTP id C6395450A0; Tue, 24 Jan 2012 11:57:46 +0100 (CET) Message-ID: <4F1E8EAA.2020905@incore.de> Date: Tue, 24 Jan 2012 11:57:46 +0100 From: Andreas Longwitz User-Agent: Thunderbird 2.0.0.19 (X11/20090113) MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 8bit Cc: azanar@carrel.org Subject: Re: pf not seeing inbound packets on netgraph interface X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jan 2012 11:15:01 -0000 Hi Ed, > I am running into a roadblock getting PF to filter traffic on > a Netgraph interface representing an L2TP/IPSec connection. > The problem I have is that PF only sees traffic on the outbound > side of the netgraph interface. This happens because the L2TP packets are tagged with an IPSEC-flag for later use by ipfw, and this flag is passed to the packets coming from ng0. Thats done by the netgraph under control of mpd, or better: mpd does nothing to clear this flag. With net.inet.ipsec.filtertunnel=1 you can ignore this IPSEC-flag but only global for all interfaces in the system. Thats probably not what you want, especially not for the real hardware interface the IPSEC-tunnel is going through. I think L2TP under control of mpd should work independent of the existence of an IPSEC-tunnel and therefore clear this flag: --- ng_l2tp.c.orig 2010-04-15 14:40:02.000000000 +0200 +++ ng_l2tp.c 2012-01-23 17:09:41.000000000 +0100 @@ -752,6 +752,7 @@ hookpriv_p hpriv = NULL; hook_p hook = NULL; struct mbuf *m; + struct m_tag *mtag; u_int16_t tid, sid; u_int16_t hdr; u_int16_t ns, nr; @@ -996,6 +997,11 @@ ERROUT(0); } + /* Delete an existing ipsec tag */ + mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); + if (mtag != NULL) + m_tag_delete(m, mtag); + /* Deliver data */ NG_FWD_NEW_DATA(error, item, hook, m); This patch for the l2tp netgraph node does the job and you can use pf on the ng0 interface without any restrections. Regards, -- Dr. Andreas Longwitz Data Service GmbH Beethovenstr. 2A 23617 Stockelsdorf Amtsgericht Lübeck, HRB 318 BS Geschäftsführer: Wilfried Paepcke, Dr. Andreas Longwitz, Josef Flatau