Date: Thu, 06 Feb 2014 23:21:13 +0100 From: Nicolas DEFFAYET <nicolas-ml@deffayet.com> To: freebsd-net@freebsd.org Subject: IPsec filtertunnel broken on FreeBSD 10 Message-ID: <1391725273.22934.16.camel@fr-wks3.corp.novso.com>
next in thread | raw e-mail | index | archive | help
Hello, The IPsec filtertunnel is broken on FreeBSD 10: incoming packets decapsulated are not going to firewall and to the pseudo interface enc. This issue affect 10.0-RELEASE and 10.0-STABLE. 9.1-RELEASE and 9.2-RELEASE are not affected. Of course the systctl show that filtertunnel is enabled: net.inet.ipsec.filtertunnel=1 net.inet6.ipsec.filtertunnel=1 This issue is serious as it's not possible to use firewall (ipfw/pf) for secure a gre/gif/l2tp IPsec tunnel as the incoming packets decapsulated are not seen by the firewall. Many peoples have reported the issue on forums.freebsd.org and a bug report have been open: http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/185876 For try to provide a fix, i have run a diff on kernel source on net, netinet, netinet6 and netipsec folders between 9.2-RELEASE and 10.0-RELEASE but I didn't have found what change can break IPsec filtertunnel. Any expert or people knowing the code can help us please ? Many thanks ! -- Nicolas DEFFAYET
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1391725273.22934.16.camel>