From owner-freebsd-net@FreeBSD.ORG Wed Oct 22 20:05:12 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D7893ABE for ; Wed, 22 Oct 2014 20:05:12 +0000 (UTC) Received: from mail-pa0-x231.google.com (mail-pa0-x231.google.com [IPv6:2607:f8b0:400e:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AA0DFBD4 for ; Wed, 22 Oct 2014 20:05:12 +0000 (UTC) Received: by mail-pa0-f49.google.com with SMTP id hz1so4347980pad.36 for ; Wed, 22 Oct 2014 13:05:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=KjuiEFNQLsF1kHGelEVNiTYc30MpqzBVpAz9ZL1TDYg=; b=N1owAKrG11azkDYWgicjca9EI/3wRHUORsuSMM9TukEGJvxcTuM/AtqToDV9tqyniE 0QLYoxrOvOXK30da3mJ2wQ8wESStctN6abJmrqm1olPp+/EIjsLt/wtA2ObuIBPHMLtX BApV/R7kFfxFnNweNmxOzo2Kvpt1y3D9h7xhsTRuGp+xwc2tTLA8nQlegElueet9e2fK xKxLjqgQWp1rzKlfbkgkuppPwLbUOhanqnJ8heqo1jU6N7Jy5SN0t3XO9bn4FQRhImsc EOwvtKgYMT0mq2vXFWZHBhJuA8wAAjhmmD/iKDfYRg5Xu241q1U7cx7gCgNcW5ap15+W QEuA== MIME-Version: 1.0 X-Received: by 10.68.236.137 with SMTP id uu9mr329907pbc.98.1414008312251; Wed, 22 Oct 2014 13:05:12 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.70.73.2 with HTTP; Wed, 22 Oct 2014 13:05:12 -0700 (PDT) In-Reply-To: <54480578.6020106@shrew.net> References: <544535C2.9020301@shrew.net> <544566D2.40303@FreeBSD.org> <544569CF.2060905@shrew.net> <54457599.4060102@yandex.ru> <54458001.6000507@shrew.net> <544611F8.9070403@yandex.ru> <20141021160643.GB2787@1970jan1-epo.ch> <54468B43.40602@shrew.net> <20141021183919.GD2787@1970jan1-epo.ch> <54480578.6020106@shrew.net> Date: Wed, 22 Oct 2014 22:05:12 +0200 X-Google-Sender-Auth: U7XwQ895qrzX10W6zWDcaIOE8-8 Message-ID: Subject: Re: Broken IPsec + enc +pf/ipfw From: =?UTF-8?Q?Ermal_Lu=C3=A7i?= To: Matthew Grooms Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2014 20:05:12 -0000 On Wed, Oct 22, 2014 at 9:28 PM, Matthew Grooms wrote: > On 10/21/2014 1:39 PM, Kyle Williams wrote: > >> On Tue Oct 21 11:35:15 2014, Matthew Grooms wrote: >> >>> Hey Kyle, >>> >>> Thanks for lending a hand. I tested a few myself last night but had no >>> luck. This morning I received an email off list that pointed to a patch >>> that was merged to 10 stable. It sounds promising ... >>> >>> Log: >>> Merge r263091: fix mbuf flags clash that lead to failure of operation >>> of IPSEC and packet filters. >>> >>> https://lists.freebsd.org/pipermail/svn-src-stable-10/ >>> 2014-March/001111.html >>> >>> I won't have a chance to try it until after business hours tonight, but >>> will report back to the list with my results. Alternately, I assume you >>> also could upgrade to 10.1-RC2 as the MFC for this patch happened back >>> in March. I may go this route myself and then bump up to RELEASE in a >>> few weeks when it happens. >>> >> >> r263091, r266800, and r272695 together on 10.0-RELENG works for me. >> >> I didn't test r263091 by itself. >> >> > I couldn't get a kernel to boot without crashing with the single patch, > (r263091) applied. With all three patches, I can also confirm that the > problem is resolved. > > And some additional info: I also experimented with using gif + IPsec > transport mode instead of enc + IPsec tunnel mode. I was hoping that > changing the configuration would work around the issue. Unfortunately, gif > + IPsec transport mode was exhibiting the same type of problems that enc + > IPsec tunnel mode was, even with a patched kernel ( pf doesn't see the > traffic on the gif interface so return traffic gets blocked for lack of a > state entry ). > > The below patch should fix your issue. diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index 15d5bae..c31034a 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -472,11 +472,11 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, * Pass the mbuf to enc0 for bpf and pfil. We will filter the IPIP * packet later after it has been decapsulated. */ - ipsec_bpf(m, sav, AF_INET, ENC_IN|ENC_BEFORE); + ipsec_bpf(m, sav, AF_INET, saidx->mode == IPSEC_MODE_TRANSPORT ? ENC_IN|ENC_AFTER : ENC_IN|ENC_BEFORE); if (prot != IPPROTO_IPIP) if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN, - ENC_IN|ENC_BEFORE)) != 0) + saidx->mode == IPSEC_MODE_TRANSPORT ? ENC_IN|ENC_AFTER : ENC_IN|ENC_BEFORE)) != 0) return (error); #endif @@ -727,12 +727,12 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto * Pass the mbuf to enc0 for bpf and pfil. We will filter the IPIP * packet later after it has been decapsulated. */ - ipsec_bpf(m, sav, AF_INET6, ENC_IN|ENC_BEFORE); + ipsec_bpf(m, sav, AF_INET6, saidx->mode == IPSEC_MODE_TRANSPORT ? ENC_IN|ENC_AFTER : ENC_IN|ENC_BEFORE); /* XXX-BZ does not make sense. */ if (prot != IPPROTO_IPIP) if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN, - ENC_IN|ENC_BEFORE)) != 0) + saidx->mode == IPSEC_MODE_TRANSPORT ? ENC_IN|ENC_AFTER : ENC_IN|ENC_BEFORE)) != 0) return (error); #endif > Thanks, > > -Matthew > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > -- Ermal