Date: Mon, 7 Mar 2022 20:02:13 -0500 From: Matteo Riondato <matteo@FreeBSD.org> To: "Andrey V. Elsukov" <bu7cher@yandex.ru> Cc: freebsd-net@freebsd.org Subject: Re: if_enc(4) and net.inet.ipcomp.ipcomp_enable Message-ID: <DE70F39D-EEA0-4C38-82ED-CA9F1A1FBB20@FreeBSD.org> In-Reply-To: <2eb08961-3db2-ee21-e434-e058cd360170@yandex.ru> References: <00EA8894-6B8C-4D21-8D5D-DA490FD24697@FreeBSD.org> <2eb08961-3db2-ee21-e434-e058cd360170@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Mar 1, 2022, at 5:52 AM, Andrey V. Elsukov <bu7cher@yandex.ru> = wrote: >=20 > 28.02.2022 02:54, Matteo Riondato =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >> Hello net@, >> I am trying to use pf to filter packets in ipsec tunnels by filtering >> on enc0 from if_enc(4). >> I have the following values for the net.enc sysctl subtree: = net.enc.out.ipsec_bpf_mask: 1 net.enc.out.ipsec_filter_mask: 1 = net.enc.in.ipsec_bpf_mask: 2 net.enc.in.ipsec_filter_mask: 2 >> and I have >> net.inet.ipsec.filtertunnel: 1 >> Everything works well when the tunnel does not use ipcomp, but when >> it does, the incoming packets seem to ignore the value of the = net.enc.in.ipsec_filter_mask sysctl, thus they show up in pf = =E2=80=9Ctwice=E2=80=9D: >> once with both external and internall headers, and once only with >> internal (the value of 2 for this sysctl should make these packets >> show up only with internal headers). The same can be observed with >> tcpdump on enc0. This behavior makes it hard to do filtering. >> Is this behavior expected? >=20 > Hi, >=20 > are you sure that it is not just on ingress and egress? You can use -Q = flag for tcpdump to make sure. >=20 > The first time when you see IPcomp packet in PF, it is when it arrives = into IP stack on a physical interface (em, igb, ix, etc.). The second = time is after decompression on if_enc interface, it is called from IPsec = stack. Hi Andrey, Sorry for the late reply, somehow your message went into my spam folder. = :/ It'll take me a few days to check, but I'll try your suggestion of using = -Q to better understand what I=E2=80=99m seeing. Thanks, Matteo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DE70F39D-EEA0-4C38-82ED-CA9F1A1FBB20>