Date: Fri, 11 Mar 2022 16:05:46 -0500 From: Matteo Riondato <matteo@freebsd.org> To: "Andrey V. Elsukov" <bu7cher@yandex.ru> Cc: freebsd-net@freebsd.org Subject: Re: if_enc(4) and net.inet.ipcomp.ipcomp_enable Message-ID: <20220311210546.sqdtgrtv4haxz3rg@ubertino.local> In-Reply-To: <2eb08961-3db2-ee21-e434-e058cd360170@yandex.ru> References: <00EA8894-6B8C-4D21-8D5D-DA490FD24697@FreeBSD.org> <2eb08961-3db2-ee21-e434-e058cd360170@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On 2022-03-01 at 05:52 EST, Andrey V. Elsukov <bu7cher@yandex.ru> wrote: >28.02.2022 02:54, Matteo Riondato пишет: >>Hello net@, >> >>I am trying to use pf to filter packets in ipsec tunnels by filtering >>on enc0 from if_enc(4). >> >>I have the following values for the net.enc sysctl subtree: >>net.enc.out.ipsec_bpf_mask: 1 >>net.enc.out.ipsec_filter_mask: 1 >>net.enc.in.ipsec_bpf_mask: 2 >>net.enc.in.ipsec_filter_mask: 2 >> >>and I have >> >>net.inet.ipsec.filtertunnel: 1 >> >>Everything works well when the tunnel does not use ipcomp, but when it >>does, the incoming packets seem to ignore the value of the >>net.enc.in.ipsec_filter_mask sysctl, thus they show up in pf “twice”: >>once with both external and internall headers, and once only with >>internal (the value of 2 for this sysctl should make these packets >>show up only with internal headers). The same can be observed with >>tcpdump on enc0. This behavior makes it hard to do filtering. >> >>Is this behavior expected? >are you sure that it is not just on ingress and egress? You can use -Q >flag for tcpdump to make sure. Thank you for the suggestion, I realized I was just misinterpreting the output of tcpdump. >The first time when you see IPcomp packet in PF, it is when it arrives >into IP stack on a physical interface (em, igb, ix, etc.). The second >time is after decompression on if_enc interface, it is called from >IPsec stack. Are you sure about the above? It seems to me (only by observing the effects of changing pf rules) that, with the net.enc sysctl values as above, the ipcomp packet is first seen by pf on if_enc, and then on the physical interface. I should perhaps specify that by "ipcomp packets", I also mean the ipip packets that may go through the tunnel uncompressed because they are not large enough to warrant compression. I wonder whether the handling of ipip packets vs "real" ipcomp ones is different. Thanks, Matteo [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQJHBAABCgAxFiEEa9uKZL0hP4E8Nl5vGwL9SVQlVQEFAmIruaUTGGhrcHM6Ly9w Z3AubWl0LmVkdQAKCRAbAv1JVCVVAaJnEADjoDk9oRCbsY133k7ZKa/LMFi2tzNe vm2nV8gmRxST7ta5GVpCRYyixwU7BzOQHSdOpuxK9jn5r24we7m0XXUB5mZmFPAw vbFutaYLdX20oaUTIy2XAxNPkNgZ3xwHCOnRoItt5FUD0jFciCLPd4MqzFVHzMVp ++8+A9PYOqwFQ6jLSkvQMzvDMKkjQLMjxxnMBnwUVH9grrOgqxmt/g9dQYEsOWUb uczD8Om4pLCuoi2m3NxgCIRVVtT9OUtsHrGglY7ecc47swC06fRogbPc7vout1nK fHNoBMeISMhqxqc9vK87B9+SSbFsje1KahqSH32LLjNTiip/NYEztBbRrrEmo17D vD46QE3dGHEFNiwNtMXqfJrWiql3VueiALuUwYevH5a1BLkhmklgJ2HckR6JKIR3 iYgdQbC9XtdWWu6It0qots51IZK8OTgMo0TzdpPE2Y0VG7XQEFS88mjRIQ5b/Az4 RJAEV1qrJv3LCYnlYNG6v0c3g5GfPFwYtOzMsWH7rHhgo8B9kQGkJ7WP4AZ+lmpw 0bpY7KiAgdX8p8bsEYGWaEtwWP/Vc6WI45CvRvtrszmgdZ73AoCETOiiSx1jTwsP 2mP7NggEYRiQSQCmyAp/hXAdtA3Imws0JVUIpQdD4WD3nneUTks6DZtPgHdXdDBi hu9F18nihKOTmw== =haNo -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20220311210546.sqdtgrtv4haxz3rg>