Date: Mon, 22 Oct 2018 09:46:29 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 232522] if_ipsec and pf doesn't work Message-ID: <bug-232522-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=232522 Bug ID: 232522 Summary: if_ipsec and pf doesn't work Product: Base System Version: 11.2-STABLE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: peter.blok@bsd4all.org Created attachment 198460 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=198460&action=edit Superfluous addition of pfile hooks in if_ipsec.c A VPN with if_ipsec VTI does not keep state with pf firewall. Below the symptoms: 1. If the VTI is on the pf.conf "skip" list, everything works ok! 2. With a "block all" nothing goes out, so works ok! 3. When passing an ssh connection with "pass out quick on ipsec0 from any to any port ssh keep state" the ssh connections work, but drops very quickly. When I dump the pf state table, it is not ESTABLISHED/ESTABLISHED. 4. When I add pfil hooks to if_ipsec.c (see attached patch) everything works ok, but according to ae it is an additional call to the hook, which is probably why #2 works ok. Systems is now running fine with my hack and is in production, but I can setup a test system and get more info as well as debug. -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-232522-227>