From owner-freebsd-net@FreeBSD.ORG Fri Feb 7 05:54:51 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A0BF06A8 for ; Fri, 7 Feb 2014 05:54:51 +0000 (UTC) Received: from mail.ipfw.ru (mail.ipfw.ru [IPv6:2a01:4f8:120:6141::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 5FA52136F for ; Fri, 7 Feb 2014 05:54:51 +0000 (UTC) Received: from secured.by.ipfw.ru ([95.143.220.47] helo=ws.su29.net) by mail.ipfw.ru with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76 (FreeBSD)) (envelope-from ) id 1WBaYD-000OQu-Uf; Fri, 07 Feb 2014 05:48:18 +0400 Message-ID: <52F4751B.40100@FreeBSD.org> Date: Fri, 07 Feb 2014 09:54:35 +0400 From: "Alexander V. Chernikov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130728 Thunderbird/17.0.7 MIME-Version: 1.0 To: Nicolas DEFFAYET Subject: Re: IPsec filtertunnel broken on FreeBSD 10 References: <1391725273.22934.16.camel@fr-wks3.corp.novso.com> In-Reply-To: <1391725273.22934.16.camel@fr-wks3.corp.novso.com> X-Enigmail-Version: 1.5.1 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="----enig2IXOOOGDUBDIPNCITPSTP" Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Feb 2014 05:54:51 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2IXOOOGDUBDIPNCITPSTP Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 07.02.2014 02:21, Nicolas DEFFAYET wrote: > Hello, >=20 > The IPsec filtertunnel is broken on FreeBSD 10: incoming packets > decapsulated are not going to firewall and to the pseudo interface enc.= >=20 > This issue affect 10.0-RELEASE and 10.0-STABLE. > 9.1-RELEASE and 9.2-RELEASE are not affected. >=20 > Of course the systctl show that filtertunnel is enabled: > net.inet.ipsec.filtertunnel=3D1 > net.inet6.ipsec.filtertunnel=3D1 >=20 > This issue is serious as it's not possible to use firewall (ipfw/pf) fo= r > secure a gre/gif/l2tp IPsec tunnel as the incoming packets decapsulated= > are not seen by the firewall. >=20 > Many peoples have reported the issue on forums.freebsd.org and a bug > report have been open: > http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dkern/185876 >=20 > For try to provide a fix, i have run a diff on kernel source on net, > netinet, netinet6 and netipsec folders between 9.2-RELEASE and > 10.0-RELEASE but I didn't have found what change can break IPsec > filtertunnel. >=20 >=20 > Any expert or people knowing the code can help us please ? I'll take a look on this today. >=20 >=20 > Many thanks ! >=20 >=20 ------enig2IXOOOGDUBDIPNCITPSTP Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlL0dR8ACgkQwcJ4iSZ1q2lHDgCfVvEpQ4bD9qr6PCu7m7H9u/+O NJMAnjUEdTnoXgzkE5qMDLsRySD9fZ6m =MHPX -----END PGP SIGNATURE----- ------enig2IXOOOGDUBDIPNCITPSTP--