Date: Mon, 22 Oct 2018 09:46:29 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 232522] if_ipsec and pf doesn't work Message-ID: <bug-232522-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D232522 Bug ID: 232522 Summary: if_ipsec and pf doesn't work Product: Base System Version: 11.2-STABLE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: peter.blok@bsd4all.org Created attachment 198460 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D198460&action= =3Dedit Superfluous addition of pfile hooks in if_ipsec.c A VPN with if_ipsec VTI does not keep state with pf firewall. Below the symptoms: 1. If the VTI is on the pf.conf "skip" list, everything works ok! 2. With a "block all" nothing goes out, so works ok! 3. When passing an ssh connection with "pass out quick on ipsec0 from any to any port ssh keep state" the ssh connections work, but drops very quickly. When I dump the pf sta= te table, it is not ESTABLISHED/ESTABLISHED. 4. When I add pfil hooks to if_ipsec.c (see attached patch) everything works ok, but according to ae it is an additional call to the hook, which is probably = why #2 works ok. Systems is now running fine with my hack and is in production, but I can se= tup a test system and get more info as well as debug. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-232522-227>