From owner-freebsd-net@FreeBSD.ORG  Thu Feb  6 22:21:22 2014
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 127B1FAB
 for <freebsd-net@freebsd.org>; Thu,  6 Feb 2014 22:21:22 +0000 (UTC)
Received: from smtp.novso.com (smtp1.novso.com [193.189.104.85])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id CE0B71B76
 for <freebsd-net@freebsd.org>; Thu,  6 Feb 2014 22:21:21 +0000 (UTC)
Message-ID: <1391725273.22934.16.camel@fr-wks3.corp.novso.com>
Subject: IPsec filtertunnel broken on FreeBSD 10
From: Nicolas DEFFAYET <nicolas-ml@deffayet.com>
To: freebsd-net@freebsd.org
Date: Thu, 06 Feb 2014 23:21:13 +0100
Organization: DEFFAYET.COM
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.4.4-3 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 22:21:22 -0000

Hello,

The IPsec filtertunnel is broken on FreeBSD 10: incoming packets
decapsulated are not going to firewall and to the pseudo interface enc.

This issue affect 10.0-RELEASE and 10.0-STABLE.
9.1-RELEASE and 9.2-RELEASE are not affected.

Of course the systctl show that filtertunnel is enabled:
net.inet.ipsec.filtertunnel=1
net.inet6.ipsec.filtertunnel=1

This issue is serious as it's not possible to use firewall (ipfw/pf) for
secure a gre/gif/l2tp IPsec tunnel as the incoming packets decapsulated
are not seen by the firewall.

Many peoples have reported the issue on forums.freebsd.org and a bug
report have been open:
http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/185876

For try to provide a fix, i have run a diff on kernel source on net,
netinet, netinet6 and netipsec folders between 9.2-RELEASE and
10.0-RELEASE but I didn't have found what change can break IPsec
filtertunnel.


Any expert or people knowing the code can help us please ?


Many thanks !


-- 
Nicolas DEFFAYET