From owner-freebsd-pf@FreeBSD.ORG Sun Jun 11 20:20:08 2006 Return-Path: X-Original-To: FreeBSD-pf@freebsd.org Delivered-To: FreeBSD-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B235316A47C for ; Sun, 11 Jun 2006 20:20:08 +0000 (UTC) (envelope-from Jason@WinSE.ath.cx) Received: from viroteck.net (svn.viroteck.net [38.99.129.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5966E43D45 for ; Sun, 11 Jun 2006 20:20:08 +0000 (GMT) (envelope-from Jason@WinSE.ath.cx) Received: from jason (CPE-24-167-243-149.wi.res.rr.com [24.167.243.149]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by viroteck.net (Postfix) with ESMTP id 2A010BDC21 for ; Sun, 11 Jun 2006 20:20:06 +0000 (UTC) Received: from jason by jason (PGP Universal service); Sun, 11 Jun 2006 15:21:30 -0600 X-PGP-Universal: processed; by jason on Sun, 11 Jun 2006 15:21:30 -0600 From: "Jason" To: Date: Sun, 11 Jun 2006 15:21:29 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807 Importance: Normal Cc: Subject: synproxy state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jun 2006 20:20:08 -0000 What is the trick to getting synproxy working on recent versions of PF? When I activated it, I was unable to connect to anything. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 12 08:40:23 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9E1816A41B for ; Mon, 12 Jun 2006 08:40:23 +0000 (UTC) (envelope-from lk@tempest.sk) Received: from mailgw.dgrp.sk (mailgw.dgrp.sk [195.28.127.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id A688D43D46 for ; Mon, 12 Jun 2006 08:40:22 +0000 (GMT) (envelope-from lk@tempest.sk) Received: by mailgw.dgrp.sk (Postfix, from userid 1003) id 098E134A5A2; Mon, 12 Jun 2006 10:40:19 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on mailgw.dgrp.sk X-Spam-Level: X-Spam-Status: No, score=-2.5 required=4.0 tests=AWL,BAYES_00 autolearn=unavailable version=3.1.1 Received: from webmail.tempest.sk (domino1.tempest.sk [195.28.100.38]) by mailgw.dgrp.sk (Postfix) with ESMTP id 1CDF434A5A8 for ; Mon, 12 Jun 2006 10:40:05 +0200 (CEST) Received: from lk107.tempest.sk ([195.28.109.37]) by webmail.tempest.sk (Lotus Domino Release 6.5.5) with ESMTP id 2006061210400380-1461 ; Mon, 12 Jun 2006 10:40:03 +0200 Received: from localhost (localhost [127.0.0.1]) by lk107.tempest.sk (8.13.6/8.13.4) with ESMTP id k5C8eDrR031160 for ; Mon, 12 Jun 2006 10:40:14 +0200 (CEST) (envelope-from lk@tempest.sk) To: freebsd-pf@freebsd.org From: Ludovit Koren X-Mailer: Mew version 4.2 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Message-ID: <20060612.104013.74757673.lk@tempest.sk> Date: Mon, 12 Jun 2006 10:40:13 +0200 X-MIMETrack: Itemize by SMTP Server on Domino1/DGRP(Release 6.5.5|November 30, 2005) at 12.06.2006 10:40:03, Serialize by Router on Domino1/DGRP(Release 6.5.5|November 30, 2005) at 12.06.2006 10:40:05, Serialize complete at 12.06.2006 10:40:05 Content-Transfer-Encoding: 7bit Content-Type: Text/Plain; charset=us-ascii Subject: FreeBSD 6.1-RELEASE + PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jun 2006 08:40:24 -0000 Hi, I have problem to set up PIM and IGMP communication with pf on FreeBSD 6.1-RELEASE. # pfctl -s state self igmp 195.28.109.40 -> 224.0.0.2 SINGLE:NO_TRAFFIC self igmp 195.28.109.40 -> 224.0.0.13 SINGLE:NO_TRAFFIC self igmp 224.0.0.1 <- 195.28.109.25 NO_TRAFFIC:SINGLE self igmp 224.0.0.2 <- 195.28.109.40 NO_TRAFFIC:SINGLE self igmp 224.0.0.13 <- 195.28.109.40 NO_TRAFFIC:SINGLE self tcp 195.28.109.40:22 -> 195.28.109.37:58349 ESTABLISHED:ESTABLISHED self udp 255.255.255.255:8225 <- 195.28.109.29:1025 NO_TRAFFIC:SINGLE self pim 195.28.109.40 -> 224.0.0.13 SINGLE:NO_TRAFFIC self pim 224.0.0.13 <- 195.28.109.25 NO_TRAFFIC:SINGLE self pim 224.0.0.13 <- 195.28.109.40 NO_TRAFFIC:SINGLE self pfsync 195.28.109.40 -> 0.0.0.0 SINGLE:NO_TRAFFIC xorp immediately starts to give the following message: [ 2006/06/09 17:13:24 WARNING xorp_fea XrlMfeaTarget ] Handling method for mfea/0.1/send_protocol_message4 failed: XrlCmdError 102 Command failed Cannot send PIMSM_4 protocol message from 195.28.109.40 to 224.0.0.13 on vif em0: sendmsg(proto 103 size 34 from 195.28.109.40 to 224.0.0.13 on vif em0) failed: Operation not permitted [ 2006/06/09 17:13:24 ERROR xorp_pimsm4:18051 PIM +2623 xrl_pim_node.cc mfea_client_send_protocol_message_cb ] Cannot send a protocol message: 102 Command failed Cannot send PIMSM_4 protocol message from 195.28.109.40 to 224.0.0.13 on vif em0: sendmsg(proto 103 size 34 from 195.28.109.40 to 224.0.0.13 on vif em0) failed: Operation not permitted # pfctl -s rules scrub in all fragment reassemble block drop in log all pass in on xl0 inet from to 195.28.126.13 keep state pass out on xl0 inet from 195.28.126.13 to keep state queue dflt pass out on xl0 inet from 195.28.126.13 to any keep state queue dflt pass out on em0 inet all keep state queue dfltem pass out on em1 inet all keep state queue dfltem1 pass in proto tcp from any to any port = ssh keep state pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = 5060 keep state pass in on em0 inet proto udp from 195.28.109.0/24 port = 8000 to 195.28.109.40 keep state pass in on em0 inet proto udp from 195.28.109.0/24 port = 8001 to 195.28.109.40 keep state pass in on em0 inet proto tcp from 195.28.109.36 to 195.28.109.40 port = nut keep state pass in on em0 inet proto tcp from 195.28.109.37 to 195.28.109.40 port = http keep state pass in on em0 inet proto tcp from 195.28.109.37 to 195.28.109.40 port = 4445 keep state pass in on em0 inet proto tcp from 195.28.109.88 to 195.28.109.40 port = http keep state pass in on em0 inet proto tcp from 195.28.109.88 to 195.28.109.40 port = 4445 keep state pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port 9999:20001 keep state pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = domain keep state pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = 4520 keep state pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = 4569 keep state pass in on em0 all keep state pass in on em1 all keep state when I disable the firewall xorp runs as expected. It does not matter if I add specific rule for PIM and IGMP or general, i.e. let all traffic go through. Is it a bug in the pf or am I doing something wrong? Any help appreciated. Regards, lk From owner-freebsd-pf@FreeBSD.ORG Mon Jun 12 11:03:09 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 80C9216A41B for ; Mon, 12 Jun 2006 11:03:09 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 47B0C43D45 for ; Mon, 12 Jun 2006 11:03:09 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k5CB39EN098953 for ; Mon, 12 Jun 2006 11:03:09 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k5CB35Oj098948 for freebsd-pf@freebsd.org; Mon, 12 Jun 2006 11:03:05 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 12 Jun 2006 11:03:05 GMT Message-Id: <200606121103.k5CB35Oj098948@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jun 2006 11:03:09 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope o [2006/02/07] kern/92949 pf [pf] PF + ALTQ problems with latency o [2006/02/18] sparc64/93530pf Incorrect checksums when using pf's route 4 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2006/02/25] kern/93825 pf [pf] pf reply-to doesn't work o [2006/04/21] bin/96150 pf pfctl(8) -k non-functional o [2006/05/09] kern/97057 pf IPSEC + pf stateful filtering does not wo 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 12 19:39:19 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2372316A41A for ; Mon, 12 Jun 2006 19:39:19 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1AF943D49 for ; Mon, 12 Jun 2006 19:39:17 +0000 (GMT) (envelope-from kian.mohageri@gmail.com) Received: by nf-out-0910.google.com with SMTP id d4so896093nfe for ; Mon, 12 Jun 2006 12:39:16 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=ZlUz1E/rKg3WsfBwgl/SQdxR8Ps+Iv1KOy50HxKrrjAb3mAAG+22o+CAFLSfXvL808Kd68B+LDRdc7gmbjyhTwS0l4UQpHH1LIqyQc3jxjpAC3v6FV607xX1u6rUqRmZgiv6p/91+MaRlt5hgj/qUy7FcQkYDVwDtL9jkHQdiPI= Received: by 10.49.92.15 with SMTP id u15mr5157176nfl; Mon, 12 Jun 2006 12:39:16 -0700 (PDT) Received: by 10.48.255.10 with HTTP; Mon, 12 Jun 2006 12:39:16 -0700 (PDT) Message-ID: Date: Mon, 12 Jun 2006 12:39:16 -0700 From: "Kian Mohageri" To: "Ludovit Koren" In-Reply-To: <20060612.104013.74757673.lk@tempest.sk> MIME-Version: 1.0 References: <20060612.104013.74757673.lk@tempest.sk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD 6.1-RELEASE + PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jun 2006 19:39:19 -0000 Perhaps your application needs specific IP options. PF blocks packets with IP options set by default. Append 'allow-opts' to the relevant rules. -Kian On 6/12/06, Ludovit Koren wrote: > > > > Hi, > > I have problem to set up PIM and IGMP communication with pf on FreeBSD > 6.1-RELEASE. > > # pfctl -s state > self igmp 195.28.109.40 -> 224.0.0.2 SINGLE:NO_TRAFFIC > self igmp 195.28.109.40 -> 224.0.0.13 SINGLE:NO_TRAFFIC > self igmp 224.0.0.1 <- 195.28.109.25 NO_TRAFFIC:SINGLE > self igmp 224.0.0.2 <- 195.28.109.40 NO_TRAFFIC:SINGLE > self igmp 224.0.0.13 <- 195.28.109.40 NO_TRAFFIC:SINGLE > self tcp 195.28.109.40:22 -> 195.28.109.37:58349 > ESTABLISHED:ESTABLISHED > self udp 255.255.255.255:8225 <- 195.28.109.29:1025 > NO_TRAFFIC:SINGLE > self pim 195.28.109.40 -> 224.0.0.13 SINGLE:NO_TRAFFIC > self pim 224.0.0.13 <- 195.28.109.25 NO_TRAFFIC:SINGLE > self pim 224.0.0.13 <- 195.28.109.40 NO_TRAFFIC:SINGLE > self pfsync 195.28.109.40 -> 0.0.0.0 SINGLE:NO_TRAFFIC > > > xorp immediately starts to give the following message: > [ 2006/06/09 17:13:24 WARNING xorp_fea XrlMfeaTarget ] Handling method for > mfea/0.1/send_protocol_message4 failed: XrlCmdError 102 Command failed > Cannot send PIMSM_4 protocol message from 195.28.109.40 to 224.0.0.13 on > vif em0: sendmsg(proto 103 size 34 from 195.28.109.40 to 224.0.0.13 on vif > em0) failed: Operation not permitted > [ 2006/06/09 17:13:24 ERROR xorp_pimsm4:18051 PIM +2623 xrl_pim_node.cc > mfea_client_send_protocol_message_cb ] Cannot send a protocol message: 102 > Command failed Cannot send PIMSM_4 protocol message from 195.28.109.40 to > 224.0.0.13 on vif em0: sendmsg(proto 103 size 34 from 195.28.109.40 to > 224.0.0.13 on vif em0) failed: Operation not permitted > > # pfctl -s rules > scrub in all fragment reassemble > block drop in log all > pass in on xl0 inet from to 195.28.126.13 keep state > pass out on xl0 inet from 195.28.126.13 to keep state queue dflt > pass out on xl0 inet from 195.28.126.13 to any keep state queue dflt > pass out on em0 inet all keep state queue dfltem > pass out on em1 inet all keep state queue dfltem1 > pass in proto tcp from any to any port = ssh keep state > pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = > 5060 keep state > pass in on em0 inet proto udp from 195.28.109.0/24 port = 8000 to > 195.28.109.40 keep state > pass in on em0 inet proto udp from 195.28.109.0/24 port = 8001 to > 195.28.109.40 keep state > pass in on em0 inet proto tcp from 195.28.109.36 to 195.28.109.40 port = > nut keep state > pass in on em0 inet proto tcp from 195.28.109.37 to 195.28.109.40 port = > http keep state > pass in on em0 inet proto tcp from 195.28.109.37 to 195.28.109.40 port = > 4445 keep state > pass in on em0 inet proto tcp from 195.28.109.88 to 195.28.109.40 port = > http keep state > pass in on em0 inet proto tcp from 195.28.109.88 to 195.28.109.40 port = > 4445 keep state > pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port > 9999:20001 keep state > pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = > domain keep state > pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = > 4520 keep state > pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = > 4569 keep state > pass in on em0 all keep state > pass in on em1 all keep state > > when I disable the firewall xorp runs as expected. It does not matter > if I add specific rule for PIM and IGMP or general, i.e. let all > traffic go through. > > Is it a bug in the pf or am I doing something wrong? Any help appreciated. > > Regards, > > lk > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Tue Jun 13 17:13:47 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCA3616A582 for ; Tue, 13 Jun 2006 17:13:47 +0000 (UTC) (envelope-from lk@tempest.sk) Received: from proxy.dgrp.sk (proxy.dgrp.sk [195.28.127.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9AF0143D46 for ; Tue, 13 Jun 2006 17:13:46 +0000 (GMT) (envelope-from lk@tempest.sk) Received: by proxy.dgrp.sk (Postfix, from userid 1003) id D95EA801E; Tue, 13 Jun 2006 19:13:44 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on proxy.dgrp.sk X-Spam-Level: X-Spam-Status: No, score=-1.4 required=4.0 tests=AWL,BAYES_00 autolearn=ham version=3.1.0 Received: from webmail.tempest.sk (domino1.tempest.sk [195.28.100.38]) by proxy.dgrp.sk (Postfix) with ESMTP id 7B4008008; Tue, 13 Jun 2006 19:13:41 +0200 (CEST) Received: from lk107.tempest.sk ([195.28.109.37]) by webmail.tempest.sk (Lotus Domino Release 6.5.5) with ESMTP id 2006061319134086-306 ; Tue, 13 Jun 2006 19:13:40 +0200 Received: from localhost (localhost [127.0.0.1]) by lk107.tempest.sk (8.13.6/8.13.4) with ESMTP id k5DHDml7014213; Tue, 13 Jun 2006 19:13:49 +0200 (CEST) (envelope-from lk@tempest.sk) To: kian.mohageri@gmail.com From: Ludovit Koren In-reply-to: X-Mailer: Mew version 4.2 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Message-ID: <20060613.191348.78700760.lk@tempest.sk> Date: Tue, 13 Jun 2006 19:13:48 +0200 X-MIMETrack: Itemize by SMTP Server on Domino1/DGRP(Release 6.5.5|November 30, 2005) at 13.06.2006 19:13:40, Serialize by Router on Domino1/DGRP(Release 6.5.5|November 30, 2005) at 13.06.2006 19:13:41, Serialize complete at 13.06.2006 19:13:41 Content-Transfer-Encoding: 7bit Content-Type: Text/Plain; charset=us-ascii Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD 6.1-RELEASE + PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jun 2006 17:13:47 -0000 >>>>> On Mon, 12 Jun 2006 12:39:16 -0700 >>>>> kian.mohageri@gmail.com(Kian Mohageri) said: > > ------=_Part_7080_30143103.1150141156113 > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > Perhaps your application needs specific IP options. PF blocks packets with > IP options set by default. > > Append 'allow-opts' to the relevant rules. > > -Kian > thanks. that was it. lk > On 6/12/06, Ludovit Koren wrote: > > > > > > > > Hi, > > > > I have problem to set up PIM and IGMP communication with pf on FreeBSD > > 6.1-RELEASE. > > > > # pfctl -s state > > self igmp 195.28.109.40 -> 224.0.0.2 SINGLE:NO_TRAFFIC > > self igmp 195.28.109.40 -> 224.0.0.13 SINGLE:NO_TRAFFIC > > self igmp 224.0.0.1 <- 195.28.109.25 NO_TRAFFIC:SINGLE > > self igmp 224.0.0.2 <- 195.28.109.40 NO_TRAFFIC:SINGLE > > self igmp 224.0.0.13 <- 195.28.109.40 NO_TRAFFIC:SINGLE > > self tcp 195.28.109.40:22 -> 195.28.109.37:58349 > > ESTABLISHED:ESTABLISHED > > self udp 255.255.255.255:8225 <- 195.28.109.29:1025 > > NO_TRAFFIC:SINGLE > > self pim 195.28.109.40 -> 224.0.0.13 SINGLE:NO_TRAFFIC > > self pim 224.0.0.13 <- 195.28.109.25 NO_TRAFFIC:SINGLE > > self pim 224.0.0.13 <- 195.28.109.40 NO_TRAFFIC:SINGLE > > self pfsync 195.28.109.40 -> 0.0.0.0 SINGLE:NO_TRAFFIC > > > > > > xorp immediately starts to give the following message: > > [ 2006/06/09 17:13:24 WARNING xorp_fea XrlMfeaTarget ] Handling method for > > mfea/0.1/send_protocol_message4 failed: XrlCmdError 102 Command failed > > Cannot send PIMSM_4 protocol message from 195.28.109.40 to 224.0.0.13 on > > vif em0: sendmsg(proto 103 size 34 from 195.28.109.40 to 224.0.0.13 on vif > > em0) failed: Operation not permitted > > [ 2006/06/09 17:13:24 ERROR xorp_pimsm4:18051 PIM +2623 xrl_pim_node.cc > > mfea_client_send_protocol_message_cb ] Cannot send a protocol message: 102 > > Command failed Cannot send PIMSM_4 protocol message from 195.28.109.40 to > > 224.0.0.13 on vif em0: sendmsg(proto 103 size 34 from 195.28.109.40 to > > 224.0.0.13 on vif em0) failed: Operation not permitted > > > > # pfctl -s rules > > scrub in all fragment reassemble > > block drop in log all > > pass in on xl0 inet from to 195.28.126.13 keep state > > pass out on xl0 inet from 195.28.126.13 to keep state queue dflt > > pass out on xl0 inet from 195.28.126.13 to any keep state queue dflt > > pass out on em0 inet all keep state queue dfltem > > pass out on em1 inet all keep state queue dfltem1 > > pass in proto tcp from any to any port = ssh keep state > > pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = > > 5060 keep state > > pass in on em0 inet proto udp from 195.28.109.0/24 port = 8000 to > > 195.28.109.40 keep state > > pass in on em0 inet proto udp from 195.28.109.0/24 port = 8001 to > > 195.28.109.40 keep state > > pass in on em0 inet proto tcp from 195.28.109.36 to 195.28.109.40 port = > > nut keep state > > pass in on em0 inet proto tcp from 195.28.109.37 to 195.28.109.40 port = > > http keep state > > pass in on em0 inet proto tcp from 195.28.109.37 to 195.28.109.40 port = > > 4445 keep state > > pass in on em0 inet proto tcp from 195.28.109.88 to 195.28.109.40 port = > > http keep state > > pass in on em0 inet proto tcp from 195.28.109.88 to 195.28.109.40 port = > > 4445 keep state > > pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port > > 9999:20001 keep state > > pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = > > domain keep state > > pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = > > 4520 keep state > > pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = > > 4569 keep state > > pass in on em0 all keep state > > pass in on em1 all keep state > > > > when I disable the firewall xorp runs as expected. It does not matter > > if I add specific rule for PIM and IGMP or general, i.e. let all > > traffic go through. > > > > Is it a bug in the pf or am I doing something wrong? Any help appreciated. > > > > Regards, > > > > lk > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > From owner-freebsd-pf@FreeBSD.ORG Wed Jun 14 06:11:51 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C39B916A474 for ; Wed, 14 Jun 2006 06:11:51 +0000 (UTC) (envelope-from mrcpu@mathisen.org) Received: from mathisen.org (main.mathisen.org [70.58.179.172]) by mx1.FreeBSD.org (Postfix) with SMTP id 3410E43D49 for ; Wed, 14 Jun 2006 06:11:51 +0000 (GMT) (envelope-from mrcpu@mathisen.org) Received: (qmail 92877 invoked by uid 29999); 14 Jun 2006 06:23:07 -0000 Date: Tue, 13 Jun 2006 23:23:07 -0700 From: Jaye Mathisen To: freebsd-pf@freebsd.org Message-ID: <20060614062307.GB92024@main.mathisen.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.6i Subject: Couple minor sniglets with pf... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jun 2006 06:11:51 -0000 I have a soekris, running a fairly release of 6.x with PF support. Until now, it had been purely used for binat, which worked just fine, but didn't use any other features. Finally decided to rid of my other gear, and just "drop down" to the basics, so wanted to start using PF for NAT. And it works fine, except for one problem I'm having, which I think is related to binat and nat. There are 3 interfaces. sis0, which is my private network. sis1 which connects to the internet, and sis2 which connects to a separate "privatish" network, that is where the end hosts for the binat stuff reside. So, my home PC, on sis0, goes through NAT out to the world, that all works fine, with 2 exceptions. (which I'll get to in a moment.). The problem is if I need to get from a device on my home network, 192.168.0.x to a server that is one of th ebinat'd ones, that get xlat'd from public IP's to 192.168.2.x... If I connect to the 192.168.2.x IP directly, it works fine, so it's not route problems, I think just something wiht the combination of NAT and binat is not working. The 2nd issue is that I cannot get any AIM clients to login. The worked fine before pf, and now they don't. They get partway through the login process, and then always error out with "A connect error occured". Just to make sure I'm not smoking dope, I replaced the soekris with my old linksys router I was using, and it works fine, logins in instantly. I have not tested regular natd to see. The symptoms of the public IP connection issue is that for example, if I login to 70.68.179.172 which is binat'd to 192.168.2.100 via ssh, I *get* a login prompt and password. But when I enter it, I'm logged in to the soekris router, *not* the .100 box. I include my minimal pf config cobbled from an example...: rtr# cat /etc/pf.conf.local | grep -v '^#' | cat -s ext_if="sis1" # replace with actual external interface name i.e., dc0 int_if="sis0" # replace with actual internal interface name i.e., dc1 tcp_services = "{ 22, 113 }" icmp_types = "echoreq" priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" set loginterface $int_if scrub in all nat on $ext_if from $int_if:network to any -> ($ext_if) binat on sis1 from 192.168.2.100 to any -> 70.58.179.172 binat on sis1 from 192.168.2.103 to any -> 70.58.179.171 binat on sis1 from 192.168.2.104 to any -> 70.58.179.170 pass in all pass out all pass quick on lo0 all block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state Thanks for any help. From owner-freebsd-pf@FreeBSD.ORG Wed Jun 14 10:01:03 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C494816A41B for ; Wed, 14 Jun 2006 10:01:03 +0000 (UTC) (envelope-from florent.thiery@int-evry.fr) Received: from smtp1.int-evry.fr (smtp1.int-evry.fr [157.159.10.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2FD1643D5D for ; Wed, 14 Jun 2006 10:01:02 +0000 (GMT) (envelope-from florent.thiery@int-evry.fr) Received: from smyrne.int-evry.fr (smtp-ext.int-evry.fr [157.159.11.17]) by smtp1.int-evry.fr (Postfix) with ESMTP id 772B918CF76 for ; Wed, 14 Jun 2006 12:07:24 +0200 (CEST) Received: from [157.159.44.43] (ddwarf.maisel.int-evry.fr [157.159.44.43]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smyrne.int-evry.fr (Postfix) with ESMTP id 34C85C73F4 for ; Wed, 14 Jun 2006 12:00:54 +0200 (CEST) Message-ID: <44B619B7.9050100@int-evry.fr> From: Florent Thiery User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-INT-MailScanner-Information: Please contact the ISP for more information X-INT-MailScanner: Found to be clean X-INT-MailScanner-SpamCheck: X-INT-MailScanner-From: florent.thiery@int-evry.fr Subject: PF+ALTQ as Anti-DoS? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Wed, 14 Jun 2006 10:01:03 -0000 X-Original-Date: Thu, 13 Jul 2006 12:00:23 +0200 X-List-Received-Date: Wed, 14 Jun 2006 10:01:03 -0000 Hi, I'm having trouble finding information related to the use of altq as DoS mitigation technique... Do you have any interesting pointers ? Thanks in advance Regards FLorent Thiery From owner-freebsd-pf@FreeBSD.ORG Wed Jun 14 10:12:56 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AECBC16A47E for ; Wed, 14 Jun 2006 10:12:56 +0000 (UTC) (envelope-from vladgalu@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 31A8043D5F for ; Wed, 14 Jun 2006 10:12:52 +0000 (GMT) (envelope-from vladgalu@gmail.com) Received: by wr-out-0506.google.com with SMTP id i23so80830wra for ; Wed, 14 Jun 2006 03:12:51 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=RHp4kdqHad50ZWzsDS+AouaUflGTWsQsWsm6VBGRW33aJqv6UC5z0X1AjFNBxgViZ5y4bjuz3k71EE6kSO83KVe9sfeqpvBZtRIiadxov0l7HSnNAEahk502jJ61TPiS33sRZt5mbbxYPJ7VeiQRzc0awMucdaytc6rEXn4a+gA= Received: by 10.54.101.16 with SMTP id y16mr474222wrb; Wed, 14 Jun 2006 03:12:51 -0700 (PDT) Received: by 10.54.129.18 with HTTP; Wed, 14 Jun 2006 03:12:30 -0700 (PDT) Message-ID: <79722fad0606140312i569cf55dsc84b9cb17ce692bc@mail.gmail.com> Date: Wed, 14 Jun 2006 13:12:30 +0300 From: "Vlad GALU" To: freebsd-pf@freebsd.org In-Reply-To: <44B619B7.9050100@int-evry.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44B619B7.9050100@int-evry.fr> Subject: Re: PF+ALTQ as Anti-DoS? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jun 2006 10:12:56 -0000 On 7/13/06, Florent Thiery wrote: > Hi, > > I'm having trouble finding information related to the use of altq as DoS > mitigation technique... Do you have any interesting pointers ? If you have enough memory, synproxy + max-src-states + max-src-conn is a great triplet. > > Thanks in advance > > Regards > > FLorent Thiery > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it. From owner-freebsd-pf@FreeBSD.ORG Wed Jun 14 10:39:45 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7FAEA16A41B; Wed, 14 Jun 2006 10:39:45 +0000 (UTC) (envelope-from sebastien.valsemey@vsystems.eu) Received: from pallena.vsystems.eu (pallena.vsystems.eu [195.5.252.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C58143D4C; Wed, 14 Jun 2006 10:39:41 +0000 (GMT) (envelope-from sebastien.valsemey@vsystems.eu) DKIM-Signature: a=rsa-sha1; c=simple; d=vsystems.eu; s=VSystems; t=1150281987; x=1150886787; q=dns; h=DomainKey-Signature:From:To: Subject:Date:Message-ID:MIME-Version:Content-Type: Content-Transfer-Encoding:Thread-Index; b=XLHIVxBYW20986z4q8WhWS snmmVdyGd/z5tbJ6VL2erq337jMGz37B4GNGEZ2BGOeQtohtsnx29QZSEaWrfhps PxrN1sx3Sd8mS/kjHqgYE6uTH1cLGlsmsJHowPjSwIPsf+DM+b2xvS3ztpoa4wYa UI2XqUtnSMgyaqUV/THNY= DomainKey-Signature: a=rsa-sha1; s=VSystems; d=vsystems.eu; c=simple; q=dns; h=from:message-id; b=UVMePJhKMiWaTLLzztkr7+hfn21poH13m9sfIUHZo3bA2i4nZwFi6Uny6dcl FJ1J1KFSWkPF8XjnSpjtaSbvnbLKyAGAqPJAo0YJnYctBLDH2/CzbjLq5 OEAiZ/pzk1fIJeUgdDw8XzrY33UZUzy7+gfRv2NnPkf7B0MXS84OsE=; From: =?iso-8859-1?Q?S=E9bastien_A._VALSEMEY?= To: , , Date: Wed, 14 Jun 2006 12:41:38 +0200 Message-ID: <004201c68f9f$1e5e8200$0da7a8c0@FR.B3W> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Thread-Index: AcaOGAzmx9EGBtcZSV+mYYnENhe26ABhqsTA X-HashCash: 1:20:060614:freebsd-ipfw@freebsd.org::blWv3aCycu4jNfOI:000000000000000000000000000000000000009D4 X-Return-Path: sebastien.valsemey@vsystems.eu X-Spam-Processed: pallena.vsystems.eu, Wed, 14 Jun 2006 12:46:22 +0200 Cc: Subject: IPF and OOW problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jun 2006 10:39:45 -0000 Hello, I am sorry about the cross-posting but it seems I did not get any answer to my previous post into freebsd-net mailing list. > I currently have a FreeBSD 6.1-STABLE box configured as a router/firewall with ipfilter v4.1.8. > > > WAN_IP/32 > | > tun0 > | > |---------| > | FreeBSD | > |---------| > / \ > xl0 xl1 > / \ > > 192.168.0.0/24 DMZ_BLOCK/29 > > I often experience in my ipf logs such packet drops (the following example is for an active upload > on a FTP server located on the > first IP of the DMZ network). My IPs have been voluntary hidden for privacy purposes. > > ipmon[329]: 13:12:41.185263 tun0 @0:110 b REMOTE_WAN_IP,8600 -> DMZ_IP_1,20 PR tcp len 20 1300 -A > IN OOW > ipmon[329]: 13:12:41.186493 tun0 @0:110 b REMOTE_WAN_IP,8600 -> DMZ_IP_1,20 PR tcp len 20 356 -AP > IN OOW > > Packet drop occurs a few seconds after the beginning of the transfer, even allowing a few kilobytes > to be uploaded, which means that > the connection establishes well. > > And on another hand, when I try to reach DMZ machines from the LAN (for example via RDP), I am > systematically dropped with the same > kind of OOW packet, I mean the connection is not even established. > > As ICMP is allowed on the whole network, I can traceroute and reach each host in the network, from > inside and outside (except for > the natted LAN...). The IP masquerading for hosts located on LAN works perfectly as they can go on > the Internet without any problem. > > When I add the two following lines in my ipf ruleset, everything runs smoothly (but insecured!): > pass in quick all > pass out quick all > > I heard that such problems occur with the same version of ipf on Solaris > (http://msgs.securepoint.com/cgi-bin/get/ipfilter-0605/28.html), but I am not sure it happens > because of that. > > What I did wrong? > > Thank you by advance for your help. > > Here are extracts from my main configuration files: > > [/etc/rc.conf] > <... *snip*! ...> > firewall_enable="NO" > firewall_script="/etc/rc.firewall" > firewall_type="/etc/rc.firewall.rules" > firewall_logging="YES" > gateway_enable="YES" > icmp_drop_redirects="YES" > ifconfig_lo0="inet 127.0.0.1" > ifconfig_xl0="inet 192.168.0.254 netmask 255.255.255.0" > ifconfig_xl1="inet DMZ_IP_6 netmask 255.255.255.248" > ipfilter_enable="YES" > ipfilter_rules="/etc/ipf.rules" > ipnat_enable="YES" > ipnat_program="/sbin/ipnat" > ipnat_rules="/etc/ipnat.rules" > ipnat_flags="" > ipmon_enable="YES" > ipmon_program="/sbin/ipmon" > ipmon_flags="-Ds" > kern_securelevel="0" > kern_securelevel_enable="NO" > network_interfaces="lo0 xl0 xl1" > ppp_enable="YES" > ppp_mode="ddial" > ppp_nat="NO" > ppp_profile="My_ISP_PROFILE" > <... *snip*! ...> > > > > [/etc/ipf.rules] > # Allow localhost traffic > pass in quick on lo0 all > pass out quick on lo0 all > > # Allow all outgoing traffic from this gateway > pass out quick on tun0 from any to any keep state > pass out quick on tun0 proto tcp from any to any keep state > pass out quick on xl0 from any to 192.168.0.0/24 keep state > pass out quick on xl0 proto tcp from any to 192.168.0.0/24 keep state > pass out quick on xl1 from any to DMZ_BLOCK/29 keep state > pass out quick on xl1 proto tcp from any to DMZ_BLOCK/29 keep state > > # Allow ICMP traffic (for testing purposes) > pass in quick on xl0 proto icmp from 192.168.0.0/24 to any keep state > pass in quick on xl1 proto icmp from DMZ_BLOCK/29 to any keep state > pass in quick on tun0 proto icmp from any to 192.168.0.0/24 keep state > pass in quick on tun0 proto icmp from any to DMZ_BLOCK/29 keep state > pass out quick proto icmp from any to any keep state > > # Allow FTP server > pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port = ftp-data keep state > pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port = ftp-data keep state > pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port = ftp keep state > pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port = ftp keep state > # This is for the passive ports range... > pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port 4000 >< 4049 keep state > pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port 4000 >< 4049 keep state > > # Allow Terminal services > pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port = rdp keep state > pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port = rdp keep state > > # Default > block in log all > block return-rst in log proto tcp from any to any > block return-icmp-as-dest(port-unr) in log proto udp from any to any > > > [/etc/ipnat.rules] > map tun0 192.168.0.0/24 -> WAN_IP/32 > map tun0 192.168.0.0/24 -> WAN_IP/32 portmap tcp/udp auto > > > [KERNEL_CONFIG] > device bpf > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPFILTER > options IPFILTER_LOG > options IPFILTER_DEFAULT_BLOCK > options NETGRAPH > options NETGRAPH_ETHER > options NETGRAPH_PPP > options NETGRAPH_PPPOE > options NETGRAPH_SOCKET From owner-freebsd-pf@FreeBSD.ORG Thu Jun 15 08:00:36 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A87A516A47C; Thu, 15 Jun 2006 08:00:36 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54B9B43D55; Thu, 15 Jun 2006 08:00:16 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k5F80GJN086906; Thu, 15 Jun 2006 08:00:16 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k5F80FvI086901; Thu, 15 Jun 2006 08:00:15 GMT (envelope-from linimon) Date: Thu, 15 Jun 2006 08:00:15 GMT From: Mark Linimon Message-Id: <200606150800.k5F80FvI086901@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/94992: [pf] [patch] pfctl complains about ALTQ missing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jun 2006 08:00:36 -0000 Synopsis: [pf] [patch] pfctl complains about ALTQ missing Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Thu Jun 15 08:00:01 UTC 2006 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=94992 From owner-freebsd-pf@FreeBSD.ORG Fri Jun 16 15:33:45 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7158F16A474; Fri, 16 Jun 2006 15:33:45 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 98A8643D45; Fri, 16 Jun 2006 15:33:44 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.178.14] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1FrGKN1JLe-0003XJ; Fri, 16 Jun 2006 17:33:43 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 16 Jun 2006 17:33:37 +0200 User-Agent: KMail/1.9.1 X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<%}*_BD U_or=\mOZf764&nYj=JYbR1PW0ud>|!~, , CPC.1-D$FG@0h3#'5"k{V]a~. X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Andrew Thompson Subject: Fwd: enc0 patch for ipsec X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jun 2006 15:33:45 -0000 --nextPart1496855.i4jJP0x1H7 Content-Type: multipart/mixed; boundary="Boundary-01=_S9skE5PcWp4ZUUE" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_S9skE5PcWp4ZUUE Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline =46YI ... great news from Andrew: Please help him test! =2D--------- Forwarded Message ---------- Subject: enc0 patch for ipsec Date: Friday 16 June 2006 00:53 =46rom: Andrew Thompson To: arch@freebsd.org Cc: net@freebsd.org Hi, I have a patch attached that implements the much requested feature of packet filtering ipsec connections. This is a device to expose packets going in/out of ipsec and comes from OpenBSD. There are two functions, a bpf tap which has a basic header with the SPI number which our current tcpdump knows how to display, and handoff to pfil(9) for packet filtering. They way I have hooked it in is compiling it in with fast_ipsec and the extra work is only done when the enc0 interface is created. The interface is not created by default so its a minimal hit, the user will need to 'ifconfig enc0 create' in order to activate it. I believe the locking is correct so it can be created and destroyed at runtime. PRs 98219 and 94829 are requesting this feature. Andrew =2D------------------------------------------------------ =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_S9skE5PcWp4ZUUE Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="ipsec_enc.diff" Index: share/man/man4/enc.4 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: share/man/man4/enc.4 diff -N share/man/man4/enc.4 =2D-- /dev/null 1 Jan 1970 00:00:00 -0000 +++ share/man/man4/enc.4 15 Jun 2006 22:08:24 -0000 @@ -0,0 +1,111 @@ +.\" $OpenBSD: enc.4,v 1.22 2006/05/26 08:51:29 jmc Exp $ +.\" +.\" Copyright (c) 1999 Angelos D. Keromytis +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this softwa= re +.\" must display the following acknowledgement: +.\" This product includes software developed by Angelos D. Keromytis. +.\" 4. The name of the author may not be used to endorse or promote produc= ts +.\" derived from this software without specific prior written permissio= n. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANT= IES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, B= UT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF U= SE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE = OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd June 16, 2006 +.Dt ENC 4 +.Os +.Sh NAME +.Nm enc +.Nd Encapsulating Interface +.Sh DESCRIPTION +The +.Nm +interface is a software loopback mechanism that allows hosts or +firewalls to filter +.Xr fast_ipsec 4 +traffic using any firewall package that hooks in via the +.Xr pfil 9 +framework. +.Pp +In order to enable packet handoff to +.Xr pfil 9 +and +.Xr bpf 4 , +the +.Dq enc0 +interface needs to be created and marked up. +This is most easily done with the +.Xr ifconfig 8 +.Cm create +command or using the +.Va cloned_interfaces +variable in +.Xr rc.conf 5 . +The interface can also be destroyed at runtime, this will disable packet +interception and filtering. +.Pp +The +.Nm +interface allows an administrator +to see outgoing packets before they have been processed by +.Xr fast_ipsec 4 , +or incoming packets after they have been similarly processed, via +.Xr tcpdump 8 . +.Pp +The +.Dq enc0 +interface inherits all IPsec traffic. +Thus all IPsec traffic can be filtered based on +.Dq enc0 , +and all IPsec traffic could be seen by invoking +.Xr tcpdump 8 +on the +.Dq enc0 +interface. +.Sh EXAMPLES +To create the interface and enable IPsec packet filtering: +.Pp +.Bd -literal -offset indent +ifconfig enc0 create up +.Ed +.Pp +To see all outgoing packets before they have been processed via +.Xr fast_ipsec 4 , +or all incoming packets after they have been similarly processed: +.Pp +.Bd -literal -offset indent +tcpdump -i enc0 +.Ed +.Pp +To disable packet filtering:=20 +.Pp +.Bd -literal -offset indent +ifconfig enc0 destroy +.Ed +.Sh SEE ALSO +.Xr bpf 4 , +.Xr fast_ipsec 4 , +.Xr ipf 4 , +.Xr ipfw 4 , +.Xr pf 4 , +.Xr tcpdump 8 Index: share/man/man4/fast_ipsec.4 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/share/man/man4/fast_ipsec.4,v retrieving revision 1.3 diff -u -p -r1.3 fast_ipsec.4 =2D-- share/man/man4/fast_ipsec.4 21 Jan 2005 08:36:37 -0000 1.3 +++ share/man/man4/fast_ipsec.4 15 Jun 2006 22:32:58 -0000 @@ -78,10 +78,16 @@ When the protocols are configured for use, all protocols are included in the system. To selectively enable/disable protocols, use .Xr sysctl 8 . +.Pp +The packets can be passed to a virtual interface, +.Dq enc0 , +to perform packet filtering before outbound encryption and after decapsula= tion +inbound. .Sh DIAGNOSTICS To be added. .Sh SEE ALSO .Xr crypto 4 , +.Xr enc 4 , .Xr ipsec 4 , .Xr setkey 8 , .Xr sysctl 8 Index: sys/conf/files =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sys/conf/files,v retrieving revision 1.1125 diff -u -p -r1.1125 files =2D-- sys/conf/files 14 Jun 2006 03:03:08 -0000 1.1125 +++ sys/conf/files 15 Jun 2006 21:38:18 -0000 @@ -1459,6 +1459,7 @@ net/if_bridge.c optional if_bridge net/if_clone.c standard net/if_disc.c optional disc net/if_ef.c optional ef +net/if_enc.c optional fast_ipsec net/if_ethersubr.c optional ether net/if_faith.c optional faith net/if_fddisubr.c optional fddi Index: sys/net/if_enc.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: sys/net/if_enc.c diff -N sys/net/if_enc.c =2D-- /dev/null 1 Jan 1970 00:00:00 -0000 +++ sys/net/if_enc.c 15 Jun 2006 21:38:18 -0000 @@ -0,0 +1,323 @@ +/*- + * Copyright (c) 2006 Andrew Thompson + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Broadcom Corporation nor the name of its contrib= utors + * may be used to endorse or promote products derived from this software + * without specific prior written consent. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS= IS' + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, T= HE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURP= OSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF + * THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include "opt_inet6.h" + +#ifdef INET6 +#include +#include +#endif + +#include + +#define ENCMTU (1024+512) +#define ENC_HDRLEN 12 + +/* XXX this define must have the same value as in OpenBSD */ +#define M_CONF 0x0400 /* payload was encrypted (ESP-transport) */ +#define M_AUTH 0x0800 /* payload was authenticated (AH or ESP auth) */ +#define M_AUTH_AH 0x2000 /* header was authenticated (AH) */ + +struct enchdr { + u_int32_t af; + u_int32_t spi; + u_int32_t flags; +}; + +struct ifnet *encif; +struct mtx enc_mtx; + +struct enc_softc { + struct ifnet *sc_ifp; +}; + +int encioctl(struct ifnet *, u_long, caddr_t); +int encoutput(struct ifnet *ifp, struct mbuf *m, + struct sockaddr *dst, struct rtentry *rt); +static int enc_clone_create(struct if_clone *, int); +static void enc_clone_destroy(struct ifnet *); + +IFC_SIMPLE_DECLARE(enc, 0); + +static void +enc_clone_destroy(struct ifnet *ifp) +{ + + KASSERT(encif =3D=3D ifp, ("%s: unknown ifnet", __func__)); + + mtx_lock(&enc_mtx); + encif =3D NULL; + mtx_unlock(&enc_mtx); + + bpfdetach(ifp); + if_detach(ifp); + if_free(ifp); + +} + +static int +enc_clone_create(struct if_clone *ifc, int unit) +{ + struct ifnet *ifp; + struct enc_softc *sc; + + mtx_lock(&enc_mtx); + if (encif !=3D NULL) + return (EBUSY); + mtx_unlock(&enc_mtx); + + sc =3D malloc(sizeof(*sc), M_DEVBUF, M_WAITOK|M_ZERO); + ifp =3D sc->sc_ifp =3D if_alloc(IFT_ENC); + if (ifp =3D=3D NULL) { + free(sc, M_DEVBUF); + return (ENOSPC); + } + + if_initname(ifp, ifc->ifc_name, unit); + ifp->if_mtu =3D ENCMTU; + ifp->if_ioctl =3D encioctl; + ifp->if_output =3D encoutput; + ifp->if_snd.ifq_maxlen =3D ifqmaxlen; + ifp->if_softc =3D sc; + if_attach(ifp); + bpfattach(ifp, DLT_ENC, ENC_HDRLEN); + + mtx_lock(&enc_mtx); + encif =3D ifp; + mtx_unlock(&enc_mtx); + + return (0); +} + +static int +enc_modevent(module_t mod, int type, void *data) +{ + switch (type) { + case MOD_LOAD: + mtx_init(&enc_mtx, "enc mtx", NULL, MTX_DEF); + if_clone_attach(&enc_cloner); + break; + case MOD_UNLOAD: + printf("enc module unload - not possible for this module\n");=20 + return (EINVAL); + default: + return (EOPNOTSUPP); + } + return (0); +} + +static moduledata_t enc_mod =3D { + "enc", + enc_modevent, + 0 +}; + +DECLARE_MODULE(enc, enc_mod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY); + +int +encoutput(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, + struct rtentry *rt) +{ + m_freem(m); + return (0); +} + +/* + * Process an ioctl request. + */ +/* ARGSUSED */ +int +encioctl(struct ifnet *ifp, u_long cmd, caddr_t data) +{ + int error =3D 0; + + switch (cmd) { + + case SIOCSIFFLAGS: + if (ifp->if_flags & IFF_UP) + ifp->if_drv_flags |=3D IFF_DRV_RUNNING; + else + ifp->if_drv_flags &=3D ~IFF_DRV_RUNNING; + + break; + + default: + error =3D EINVAL; + } + return (error); +} + +int +ipsec_filter(struct mbuf **mp, int dir) +{ + int error, i; + struct ip *ip; + + mtx_lock(&enc_mtx); + if (encif =3D=3D NULL || (encif->if_drv_flags & IFF_DRV_RUNNING) =3D=3D 0= ) { + mtx_unlock(&enc_mtx); + return (0); + } + + /* Skip pfil(9) if no filters are loaded */ + if (inet_pfil_hook.ph_busy_count < 0 +#ifdef INET6 + && inet6_pfil_hook.ph_busy_count < 0 +#endif + ) { + mtx_unlock(&enc_mtx); + return (0); + } + + i =3D min((*mp)->m_pkthdr.len, max_protohdr); + if ((*mp)->m_len < i) { + *mp =3D m_pullup(*mp, i); + if (*mp =3D=3D NULL) { + printf("%s: m_pullup failed\n", __func__); + mtx_unlock(&enc_mtx); + return (-1); + } + } + + error =3D 0; + ip =3D mtod(*mp, struct ip *); + switch (ip->ip_v) { + case 4: + /* + * before calling the firewall, swap fields the same as + * IP does. here we assume the header is contiguous + */ + ip->ip_len =3D ntohs(ip->ip_len); + ip->ip_off =3D ntohs(ip->ip_off); + + error =3D pfil_run_hooks(&inet_pfil_hook, mp, + encif, dir, NULL); + + if (*mp =3D=3D NULL || error !=3D 0) + break; + + /* restore byte ordering */ + ip =3D mtod(*mp, struct ip *); + ip->ip_len =3D htons(ip->ip_len); + ip->ip_off =3D htons(ip->ip_off); + break; + +#ifdef INET6 + case 6: + error =3D pfil_run_hooks(&inet6_pfil_hook, mp, + encif, dir, NULL); + break; +#endif + default: + printf("%s: unknown IP version\n", __func__); + } + + mtx_unlock(&enc_mtx); + if (*mp =3D=3D NULL) + return (error); + if (error !=3D 0) + goto bad; + + return (error); + +bad: + mtx_unlock(&enc_mtx); + m_freem(*mp); + *mp =3D NULL; + return (error); +} + +void +ipsec_bpf(struct mbuf *m, struct secasvar *sav, int af) +{ + int flags; + struct enchdr hdr; + struct mbuf m1; + + KASSERT(sav !=3D NULL, ("%s: sav is null", __func__)); + + mtx_lock(&enc_mtx); + if (encif =3D=3D NULL || (encif->if_drv_flags & IFF_DRV_RUNNING) =3D=3D 0= ) { + mtx_unlock(&enc_mtx); + return; + } + + if (encif->if_bpf) { + flags =3D 0; + if (sav->alg_enc !=3D SADB_EALG_NONE) + flags |=3D M_CONF; + if (sav->alg_auth !=3D SADB_AALG_NONE) + flags |=3D M_AUTH; + + /* + * We need to prepend the address family as a four byte + * field. Cons up a dummy header to pacify bpf. This + * is safe because bpf will only read from the mbuf + * (i.e., it won't try to free it or keep a pointer a + * to it). + */ + hdr.af =3D af; + hdr.spi =3D sav->spi; + hdr.flags =3D flags; + + m1.m_flags =3D 0; + m1.m_next =3D m; + m1.m_len =3D ENC_HDRLEN; + m1.m_data =3D (char *) &hdr; + + bpf_mtap(encif->if_bpf, &m1); + } + mtx_unlock(&enc_mtx); +} Index: sys/net/if_types.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sys/net/if_types.h,v retrieving revision 1.21 diff -u -p -r1.21 if_types.h =2D-- sys/net/if_types.h 10 Jun 2005 16:49:19 -0000 1.21 +++ sys/net/if_types.h 15 Jun 2006 21:38:18 -0000 @@ -246,6 +246,7 @@ #define IFT_GIF 0xf0 #define IFT_PVC 0xf1 #define IFT_FAITH 0xf2 +#define IFT_ENC 0xf4 #define IFT_PFLOG 0xf6 #define IFT_PFSYNC 0xf7 #define IFT_CARP 0xf8 /* Common Address Redundancy Protocol */ Index: sys/netipsec/ipsec.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sys/netipsec/ipsec.h,v retrieving revision 1.11 diff -u -p -r1.11 ipsec.h =2D-- sys/netipsec/ipsec.h 10 Apr 2006 15:04:36 -0000 1.11 +++ sys/netipsec/ipsec.h 15 Jun 2006 21:38:18 -0000 @@ -335,6 +335,8 @@ extern int ipsec_replay; extern int ipsec_integrity; #endif =20 +extern struct ifnet *encif; + extern struct newipsecstat newipsecstat; extern struct secpolicy ip4_def_policy; extern int ip4_esp_trans_deflev; @@ -417,6 +419,9 @@ extern void m_checkalignment(const char* extern struct mbuf *m_makespace(struct mbuf *m0, int skip, int hlen, int *= off); extern caddr_t m_pad(struct mbuf *m, int n); extern int m_striphdr(struct mbuf *m, int skip, int hlen); +extern int ipsec_filter(struct mbuf **, int); +extern void ipsec_bpf(struct mbuf *, struct secasvar *, int); + #endif /* _KERNEL */ =20 #ifndef _KERNEL Index: sys/netipsec/ipsec_input.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sys/netipsec/ipsec_input.c,v retrieving revision 1.11 diff -u -p -r1.11 ipsec_input.c =2D-- sys/netipsec/ipsec_input.c 4 Jun 2006 19:32:32 -0000 1.11 +++ sys/netipsec/ipsec_input.c 15 Jun 2006 21:38:18 -0000 @@ -443,6 +443,18 @@ ipsec4_common_input_cb(struct mbuf *m, s key_sa_recordxfer(sav, m); /* record data transfer */ =20 /* + * Pass the mbuf to enc0 for bpf and pfil. We will filter the IPIP + * packet later after it has been decapsulated. + */ + if (encif !=3D NULL) { + ipsec_bpf(m, sav, AF_INET); + + if (prot !=3D IPPROTO_IPIP) + if ((error =3D ipsec_filter(&m, 1)) !=3D 0) + return (error); + } + + /* * Re-dispatch via software interrupt. */ if ((error =3D netisr_queue(NETISR_IP, m))) { Index: sys/netipsec/ipsec_output.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sys/netipsec/ipsec_output.c,v retrieving revision 1.11 diff -u -p -r1.11 ipsec_output.c =2D-- sys/netipsec/ipsec_output.c 2 Nov 2005 13:46:32 -0000 1.11 +++ sys/netipsec/ipsec_output.c 15 Jun 2006 21:38:18 -0000 @@ -358,6 +358,11 @@ ipsec4_process_packet( goto bad; =20 sav =3D isr->sav; + + /* pass the mbuf to enc0 for packet filtering */ + if (encif !=3D NULL && (error =3D ipsec_filter(&m, 2)) !=3D 0) + goto bad; + if (!tunalready) { union sockaddr_union *dst =3D &sav->sah->saidx.dst; int setdf; @@ -455,6 +460,10 @@ ipsec4_process_packet( } } =20 + /* pass the mbuf to enc0 for bpf processing */ + if (encif !=3D NULL) + ipsec_bpf(m, sav, AF_INET); + /* * Dispatch to the appropriate IPsec transform logic. The * packet will be returned for transmission after crypto Index: sys/netipsec/xform_ipip.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sys/netipsec/xform_ipip.c,v retrieving revision 1.12 diff -u -p -r1.12 xform_ipip.c =2D-- sys/netipsec/xform_ipip.c 30 Mar 2006 18:57:04 -0000 1.12 +++ sys/netipsec/xform_ipip.c 15 Jun 2006 21:38:18 -0000 @@ -345,6 +345,10 @@ _ipip_input(struct mbuf *m, int iphlen,=20 /* Statistics */ ipipstat.ipips_ibytes +=3D m->m_pkthdr.len - iphlen; =20 + /* pass the mbuf to enc0 for packet filtering */ + if (encif !=3D NULL && ipsec_filter(&m, 1) !=3D 0) + return; + /* * Interface pointer stays the same; if no IPsec processing has * been done (or will be done), this will point to a normal --Boundary-01=_S9skE5PcWp4ZUUE-- --nextPart1496855.i4jJP0x1H7 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEks9WXyyEoT62BG0RAu6LAJ9AWKV5U5ZbEY3v9ONn00wNg1ZutgCfffSU Jg5YJ1j4Dq3eztKE9QmZoMg= =+QER -----END PGP SIGNATURE----- --nextPart1496855.i4jJP0x1H7-- From owner-freebsd-pf@FreeBSD.ORG Fri Jun 16 18:32:06 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9AB616A494 for ; Fri, 16 Jun 2006 18:32:06 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.172]) by mx1.FreeBSD.org (Postfix) with ESMTP id E681443D48 for ; Fri, 16 Jun 2006 18:32:05 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by ug-out-1314.google.com with SMTP id m3so1900098uge for ; Fri, 16 Jun 2006 11:32:04 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=dcnSiC7ZMjBojdsOkVr5xbDurOuWAOrl116HaK5m2NNZbXFV1hRobmBS5n0T5RVToqSzXHMYsyS63shEoGyjvyIOAicznRNNfX9hMccXwAaIkAzGrJea8fQzuUMkk0TFtw5+5sZGOYRAT4MK9Ara2JllEXeEN9Pwxnngp444emQ= Received: by 10.67.103.7 with SMTP id f7mr2851574ugm; Fri, 16 Jun 2006 08:37:04 -0700 (PDT) Received: by 10.67.28.14 with HTTP; Fri, 16 Jun 2006 08:37:04 -0700 (PDT) Message-ID: Date: Fri, 16 Jun 2006 11:37:04 -0400 From: "Scott Ullrich" To: "Max Laier" In-Reply-To: <200606161733.42247.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200606161733.42247.max@love2party.net> Cc: Andrew Thompson , freebsd-pf@freebsd.org Subject: Re: enc0 patch for ipsec X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jun 2006 18:32:06 -0000 On 6/16/06, Max Laier wrote: > FYI ... great news from Andrew: > > Please help him test! This is great news indeed. FWIW, we've been using it in pfSense for about a month. Works great! Commit away! :) Scott