From owner-freebsd-bugs@freebsd.org  Mon Oct 22 09:46:31 2018
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4CF6EFF1CBF
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Mon, 22 Oct 2018 09:46:31 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id DEBA071930
 for <freebsd-bugs@freebsd.org>; Mon, 22 Oct 2018 09:46:30 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.ysv.freebsd.org (Postfix)
 id A37FDFF1CBE; Mon, 22 Oct 2018 09:46:30 +0000 (UTC)
Delivered-To: bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9232DFF1CBD
 for <bugs@mailman.ysv.freebsd.org>; Mon, 22 Oct 2018 09:46:30 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.ysv.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 342627192F
 for <bugs@FreeBSD.org>; Mon, 22 Oct 2018 09:46:30 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 92C717245
 for <bugs@FreeBSD.org>; Mon, 22 Oct 2018 09:46:29 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w9M9kTLT042463
 for <bugs@FreeBSD.org>; Mon, 22 Oct 2018 09:46:29 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w9M9kTE2042462
 for bugs@FreeBSD.org; Mon, 22 Oct 2018 09:46:29 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 232522] if_ipsec and pf doesn't work
Date: Mon, 22 Oct 2018 09:46:29 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 11.2-STABLE
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: peter.blok@bsd4all.org
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
 attachments.created
Message-ID: <bug-232522-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Oct 2018 09:46:31 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D232522

            Bug ID: 232522
           Summary: if_ipsec and pf doesn't work
           Product: Base System
           Version: 11.2-STABLE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: peter.blok@bsd4all.org

Created attachment 198460
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D198460&action=
=3Dedit
Superfluous addition of pfile hooks in if_ipsec.c

A VPN with if_ipsec VTI does not keep state with pf firewall. Below the
symptoms:

1. If the VTI is on the pf.conf "skip" list, everything works ok!
2. With a "block all" nothing goes out, so works ok!
3. When passing an ssh connection with
   "pass out quick on ipsec0 from any to any port ssh keep state"
   the ssh connections work, but drops very quickly. When I dump the pf sta=
te
table,
   it is not ESTABLISHED/ESTABLISHED.
4. When I add pfil hooks to if_ipsec.c (see attached patch) everything works
ok, but
   according to ae it is an additional call to the hook, which is probably =
why
#2 works
   ok.

Systems is now running fine with my hack and is in production, but I can se=
tup
a test system and get more info as well as debug.

--=20
You are receiving this mail because:
You are the assignee for the bug.=