Date: Fri, 07 Feb 2014 09:54:35 +0400 From: "Alexander V. Chernikov" <melifaro@FreeBSD.org> To: Nicolas DEFFAYET <nicolas-ml@deffayet.com> Cc: freebsd-net@freebsd.org Subject: Re: IPsec filtertunnel broken on FreeBSD 10 Message-ID: <52F4751B.40100@FreeBSD.org> In-Reply-To: <1391725273.22934.16.camel@fr-wks3.corp.novso.com> References: <1391725273.22934.16.camel@fr-wks3.corp.novso.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On 07.02.2014 02:21, Nicolas DEFFAYET wrote: > Hello, > > The IPsec filtertunnel is broken on FreeBSD 10: incoming packets > decapsulated are not going to firewall and to the pseudo interface enc. > > This issue affect 10.0-RELEASE and 10.0-STABLE. > 9.1-RELEASE and 9.2-RELEASE are not affected. > > Of course the systctl show that filtertunnel is enabled: > net.inet.ipsec.filtertunnel=1 > net.inet6.ipsec.filtertunnel=1 > > This issue is serious as it's not possible to use firewall (ipfw/pf) for > secure a gre/gif/l2tp IPsec tunnel as the incoming packets decapsulated > are not seen by the firewall. > > Many peoples have reported the issue on forums.freebsd.org and a bug > report have been open: > http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/185876 > > For try to provide a fix, i have run a diff on kernel source on net, > netinet, netinet6 and netipsec folders between 9.2-RELEASE and > 10.0-RELEASE but I didn't have found what change can break IPsec > filtertunnel. > > > Any expert or people knowing the code can help us please ? I'll take a look on this today. > > > Many thanks ! > > [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlL0dR8ACgkQwcJ4iSZ1q2lHDgCfVvEpQ4bD9qr6PCu7m7H9u/+O NJMAnjUEdTnoXgzkE5qMDLsRySD9fZ6m =MHPX -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52F4751B.40100>