From owner-freebsd-bugs@FreeBSD.ORG Tue May 9 22:00:33 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B423816A438 for ; Tue, 9 May 2006 22:00:33 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 461C743D53 for ; Tue, 9 May 2006 22:00:30 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k49M0Upw076806 for ; Tue, 9 May 2006 22:00:30 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k49M0TCU076805; Tue, 9 May 2006 22:00:29 GMT (envelope-from gnats) Resent-Date: Tue, 9 May 2006 22:00:29 GMT Resent-Message-Id: <200605092200.k49M0TCU076805@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Dmitry Andrianov Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E75616A52D for ; Tue, 9 May 2006 21:57:28 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 343B443D60 for ; Tue, 9 May 2006 21:57:25 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k49LvPKB061510 for ; Tue, 9 May 2006 21:57:25 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id k49LvPN1061507; Tue, 9 May 2006 21:57:25 GMT (envelope-from nobody) Message-Id: <200605092157.k49LvPN1061507@www.freebsd.org> Date: Tue, 9 May 2006 21:57:25 GMT From: Dmitry Andrianov To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Cc: Subject: kern/97057: IPSEC + pf stateful filtering does not work "out of the box" X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 22:00:33 -0000 >Number: 97057 >Category: kern >Synopsis: IPSEC + pf stateful filtering does not work "out of the box" >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue May 09 22:00:29 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Dmitry Andrianov >Release: 6.0 >Organization: DataArt >Environment: FreeBSD gw1 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Fri Jan 13 21:41:10 MSK 2006 root@gw1:/usr/src/sys/i386/compile/gw1 i386 >Description: When IPSEC is configured according to handbook ( http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html ) but pf is used instead of ipfw, users experience very strange TCP connection stalls. In addition to me experiencing that problem ( http://lists.freebsd.org/pipermail/freebsd-pf/2006-May/002129.html ) I believe following reports also refer the same problem I had: http://lists.freebsd.org/pipermail/freebsd-net/2005-October/008812.html http://lists.freebsd.org/pipermail/freebsd-net/2005-October/008745.html The problem is caused by the fact PF can not properly track state because it does not see packets coming from the tunnel to gif interface. The problem is resolved by rebuilding kernel with IPSEC_FILTERGIF. And the real challenge is to find that solution because all the references to that option say that it is needed if you want filtering on gif. I do NOT want filtering on gif, I want filtering on other interfaces but it does not work either. In my opinion, IPSEC_FILTERGIF option should be on by default. If it is absolutely unacceptable, documentation should be fixed to reflect "side effect" of enabling IPSEC/FAST_IPSEC without IPSEC_FILTERGIF >How-To-Repeat: Setup IPSEC according to handbook, use following pf ruleset: pass in keep state pass out keep state >Fix: Rebuild the kernel with IPSEC_FILTERGIF >Release-Note: >Audit-Trail: >Unformatted: