Date: Sun, 27 Feb 2022 18:54:11 -0500 From: Matteo Riondato <matteo@FreeBSD.org> To: freebsd-net@freebsd.org Subject: if_enc(4) and net.inet.ipcomp.ipcomp_enable Message-ID: <00EA8894-6B8C-4D21-8D5D-DA490FD24697@FreeBSD.org>
next in thread | raw e-mail | index | archive | help
Hello net@, I am trying to use pf to filter packets in ipsec tunnels by filtering on = enc0 from if_enc(4). I have the following values for the net.enc sysctl subtree: net.enc.out.ipsec_bpf_mask: 1 net.enc.out.ipsec_filter_mask: 1 net.enc.in.ipsec_bpf_mask: 2 net.enc.in.ipsec_filter_mask: 2 and I have net.inet.ipsec.filtertunnel: 1 Everything works well when the tunnel does not use ipcomp, but when it = does, the incoming packets seem to ignore the value of the=20 net.enc.in.ipsec_filter_mask sysctl, thus they show up in pf = =E2=80=9Ctwice=E2=80=9D: once with both external and internall headers, = and once only with internal (the value of 2 for this sysctl should make = these packets show up only with internal headers). The same can be = observed with tcpdump on enc0. This behavior makes it hard to do = filtering. Is this behavior expected?=20 Thanks, Matteo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00EA8894-6B8C-4D21-8D5D-DA490FD24697>