Date: Mon, 18 Jan 2016 16:27:31 +0000 From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Andreas Longwitz <longwitz@incore.de> Cc: freebsd-net@freebsd.org Subject: Re: pf not seeing inbound packets coming from IPSec on epair interface Message-ID: <5ADF2343-7643-41ED-B2AE-8A94A3478B95@lists.zabbadoz.net> In-Reply-To: <569D0F2F.8060508@incore.de> References: <569D0F2F.8060508@incore.de>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 18 Jan 2016, at 16:13 , Andreas Longwitz <longwitz@incore.de> wrote: > > in the situation > IPSec --> epair0a --> epair0b > pf does not see inbound packets on the interface epair0b, because the > epair driver does not clear the flag PACKET_TAG_IPSEC_IN_DONE when he > transfers a packet from epair0a to epair0b. The following patch for > FreeBSD 10 works for me and is adapted from > lists.freebsd.org/pipermail/freebsd-net/2012-January/031161.html: Where does epair get the packet from? A physical interface bridged to epair? If anything should clear that; I guess it’s the bridge interface? Hmm, but then if you are using epairs to cross between network stacks, you are changing boundries, indeed, so if you’d run ipsec on a single epair between two VNETs, that might be interesting as well? I guess we’ll need to find a couple of these places (epair, bridge, netgraph, …) and make sure we strip all of the tags IFF we change the VNET? /bz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5ADF2343-7643-41ED-B2AE-8A94A3478B95>