From owner-freebsd-net@freebsd.org Mon Jan 18 16:20:04 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5A3ABA86D5B for ; Mon, 18 Jan 2016 16:20:04 +0000 (UTC) (envelope-from longwitz@incore.de) Received: from dss.incore.de (dss.incore.de [195.145.1.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 243701A27 for ; Mon, 18 Jan 2016 16:20:03 +0000 (UTC) (envelope-from longwitz@incore.de) Received: from inetmail.dmz (inetmail.dmz [10.3.0.3]) by dss.incore.de (Postfix) with ESMTP id 050F567ACF for ; Mon, 18 Jan 2016 17:13:36 +0100 (CET) X-Virus-Scanned: amavisd-new at incore.de Received: from dss.incore.de ([10.3.0.3]) by inetmail.dmz (inetmail.dmz [10.3.0.3]) (amavisd-new, port 10024) with LMTP id 9sGqKNdlG-Ya for ; Mon, 18 Jan 2016 17:13:35 +0100 (CET) Received: from mail.local.incore (fwintern.dmz [10.0.0.253]) by dss.incore.de (Postfix) with ESMTP id 59E6667ACE for ; Mon, 18 Jan 2016 17:13:35 +0100 (CET) Received: from bsdlo.incore (bsdlo.incore [192.168.0.84]) by mail.local.incore (Postfix) with ESMTP id 4691350898 for ; Mon, 18 Jan 2016 17:13:35 +0100 (CET) Message-ID: <569D0F2F.8060508@incore.de> Date: Mon, 18 Jan 2016 17:13:35 +0100 From: Andreas Longwitz User-Agent: Thunderbird 2.0.0.19 (X11/20090113) MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: pf not seeing inbound packets coming from IPSec on epair interface Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jan 2016 16:20:04 -0000 in the situation IPSec --> epair0a --> epair0b pf does not see inbound packets on the interface epair0b, because the epair driver does not clear the flag PACKET_TAG_IPSEC_IN_DONE when he transfers a packet from epair0a to epair0b. The following patch for FreeBSD 10 works for me and is adapted from lists.freebsd.org/pipermail/freebsd-net/2012-January/031161.html: --- if_epair.c.1st 2015-03-13 12:06:49.000000000 +0100 +++ if_epair.c 2016-01-18 17:07:14.911942000 +0100 @@ -469,6 +469,7 @@ struct ifnet *oifp; int error, len; short mflags; + struct m_tag *mtag; DPRINTF("ifp=%p m=%p\n", ifp, m); sc = ifp->if_softc; @@ -510,6 +511,11 @@ mflags = m->m_flags; DPRINTF("packet %s -> %s\n", ifp->if_xname, oifp->if_xname); + /* Delete an existing ipsec tag */ + mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); + if (mtag != NULL) + m_tag_delete(m, mtag); + #ifdef ALTQ /* Support ALTQ via the clasic if_start() path. */ IF_LOCK(&ifp->if_snd); Maybe some more internel kernel information from a packet should be cleared by the epair driver when he transfers a packet from epair0a ro epair0b. -- Dr. Andreas Longwitz Data Service GmbH Beethovenstr. 2A 23617 Stockelsdorf Amtsgericht Lübeck, HRB 318 BS Geschäftsführer: Wilfried Paepcke, Dr. Andreas Longwitz, Josef Flatau