From owner-freebsd-pf@FreeBSD.ORG Mon Oct 10 11:07:13 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CC11910656D0 for ; Mon, 10 Oct 2011 11:07:13 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B1A628FC13 for ; Mon, 10 Oct 2011 11:07:13 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p9AB7DpJ032465 for ; Mon, 10 Oct 2011 11:07:13 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p9AB7DOH032462 for freebsd-pf@FreeBSD.org; Mon, 10 Oct 2011 11:07:13 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 10 Oct 2011 11:07:13 GMT Message-Id: <201110101107.p9AB7DOH032462@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Oct 2011 11:07:14 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/159390 pf [pf] [panic] mutex pf task mtx owned at /usr/src/sys/c o kern/159029 pf [pf] [panic] m_copym, offset > size of mbuf chain when o kern/158873 pf [pf] [panic] When I launch pf daemon, I have a kernel o kern/158636 pf [pf] if_pfsync.c fails to build when NBPFILTER == 0 o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 50 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 10 20:26:07 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1CB101065672; Mon, 10 Oct 2011 20:26:07 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from mailgate.jr-hosting.nl (mail.jr-hosting.nl [IPv6:2a01:4f8:141:5061::25]) by mx1.freebsd.org (Postfix) with ESMTP id 7D01A8FC14; Mon, 10 Oct 2011 20:26:06 +0000 (UTC) Received: from axantucar.elvandar.org (178-85-116-244.dynamic.upc.nl [178.85.116.244]) by mailgate.jr-hosting.nl (Postfix) with ESMTPSA id CF9A13F44F; Mon, 10 Oct 2011 22:26:04 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v1244.3) From: Remko Lodder In-Reply-To: Date: Mon, 10 Oct 2011 22:26:04 +0200 Message-Id: References: To: Gi Dot X-Mailer: Apple Mail (2.1244.3) Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Error - mysql_connect: Operation not permitted. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Oct 2011 20:26:07 -0000 >=20 >=20 >=20 > Appreciate any advice offered. >=20 > Thanks. Dear "gi", Please do not cross post to different mailing lists. You ask something = about PF and not specifically about networking things at the moment. I didn't read the pf.conf and such, but if something tricks on pf you = can mostly see that either in your logs (tcpdump pflog0, read the documentation to see the advised settings = here!) and see whether that might cause things to fail. As I can read this from your current feedback, you didn't test that yet = and it would be great if you can see whether there are issues there. If you can look into this yourself this = will help you in your later queste. Thanks! Remko p.s Remove the -net mailing list when you reply! --=20 /"\ With kind regards, | remko@elvandar.org \ / Remko Lodder | remko@FreeBSD.org X FreeBSD | = http://www.evilcoder.org / \ The Power to Serve | Quis custodiet ipsos custodes From owner-freebsd-pf@FreeBSD.ORG Tue Oct 11 18:57:16 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E69B1065670 for ; Tue, 11 Oct 2011 18:57:16 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe11.ukr.net (ffe11.ukr.net [195.214.192.31]) by mx1.freebsd.org (Postfix) with ESMTP id 5426E8FC0C for ; Tue, 11 Oct 2011 18:57:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Date:Message-Id:From:To:Subject:Content-Type:Content-Transfer-Encoding:MIME-Version; bh=dPiPf3SRc+bdrZ6GnZlxkFaLS50S2X00vT0WMpDUa/c=; b=qcKjc3YrA/smaJOL4O1dk9EVeKkZqk9HI4wDMgg4i3hsRzjBc5zt7bDxjebC3A3zZMVQjzyxMQ8KkRDHSbKR2cSiAbrMRwZrGYGpGXAZ7xW+uYVb7N6K0eVEFLZnMPpP2QSp++YZ/bgEkgbf/VPfBF3ymnsAH2dYo9xePYKjoBk=; Received: from mail by ffe11.ukr.net with local ID 1RDhG8-000OwU-FJ for freebsd-pf@FreeBSD.org; Tue, 11 Oct 2011 21:41:00 +0300 MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: binary Content-Type: text/plain; charset="windows-1251" To: freebsd-pf@FreeBSD.org From: =?WINDOWS-1251?B?wujy4Ovo6SDC6+Dk6Ozo8O7i6Pc=?= X-Mailer: freemail.ukr.net 4.0 X-Originating-Ip: [195.200.251.65] Message-Id: <94876.1318358460.12206338191212019712@ffe11.ukr.net> X-Browser: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 Date: Tue, 11 Oct 2011 21:41:00 +0300 Cc: Subject: Filtering inside IPSec tunnel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2011 18:57:16 -0000 I have the IPSec tunnel FreeBSD <-> CISCO. Tunnel works fine but I can filtering traffic inside tunnel with PF. pf.conf ...... ipsec_if="gif0" ....... block in all block out all ### EXT_IF_OUT pass out log quick on $ext_if inet from ($ext_if) to any modulate state ### EXT_IF_IN pass in quick on $ext_if inet proto udp from $cisco to ($ext_if) port 500 pass in quick on $ext_if inet proto {esp ah ipencap} from $cisco to ($ext_if) ### IPSec VPN INTERFACE #pass in quick on $ipsec_if inet from any to $ipsec_if #pass out quick on $ipsec_if inet from $ipsec_if to any block quick on $ipsec_if But I still ping the second point of IPSec tunnel. Where is my mistake? From owner-freebsd-pf@FreeBSD.ORG Tue Oct 11 20:05:52 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D646B106566C for ; Tue, 11 Oct 2011 20:05:52 +0000 (UTC) (envelope-from mike@jellydonut.org) Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id A1A6E8FC14 for ; Tue, 11 Oct 2011 20:05:52 +0000 (UTC) Received: by ggeq3 with SMTP id q3so7620367gge.13 for ; Tue, 11 Oct 2011 13:05:52 -0700 (PDT) MIME-Version: 1.0 Received: by 10.42.123.212 with SMTP id t20mr28320694icr.12.1318361866828; Tue, 11 Oct 2011 12:37:46 -0700 (PDT) Received: by 10.231.170.17 with HTTP; Tue, 11 Oct 2011 12:37:46 -0700 (PDT) In-Reply-To: <94876.1318358460.12206338191212019712@ffe11.ukr.net> References: <94876.1318358460.12206338191212019712@ffe11.ukr.net> Date: Tue, 11 Oct 2011 15:37:46 -0400 Message-ID: From: Michael Proto To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: quoted-printable Subject: Re: Filtering inside IPSec tunnel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2011 20:05:52 -0000 2011/10/11 =F7=C9=D4=C1=CC=C9=CA =F7=CC=C1=C4=C9=CD=C9=D2=CF=D7=C9=DE : > > =9AI have the IPSec tunnel FreeBSD <-> CISCO. Tunnel works fine but I can= filtering traffic inside tunnel with PF. > > pf.conf > > ...... > > ipsec_if=3D"gif0" > > ....... > block in all > block out all > > ### EXT_IF_OUT > > pass out log quick on $ext_if inet from ($ext_if) to any modulate state > > ### EXT_IF_IN > > pass in quick on $ext_if inet proto udp from $cisco to ($ext_if) port 500 > pass in quick on $ext_if inet proto {esp ah ipencap} from $cisco to ($ext= _if) > > ### IPSec VPN INTERFACE > #pass in quick on $ipsec_if inet from any to $ipsec_if > #pass out quick on $ipsec_if inet from $ipsec_if to any > block quick on $ipsec_if > > But I still ping the second point of IPSec tunnel. > Where is my mistake? IIRC you also need the following in your kernel config: options IPSEC_FILTERTUNNEL (I think it used to be called IPSEC_FILTERGIF, depending on what version of FreeBSD you're running) -Proto From owner-freebsd-pf@FreeBSD.ORG Tue Oct 11 20:24:44 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97DA4106566C for ; Tue, 11 Oct 2011 20:24:44 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id 231C08FC14 for ; Tue, 11 Oct 2011 20:24:44 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id E215625D3810; Tue, 11 Oct 2011 20:24:42 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id EAF7ABD3C44; Tue, 11 Oct 2011 20:24:41 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id ut7cMY4TuXBH; Tue, 11 Oct 2011 20:24:40 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id A21EABD3C2B; Tue, 11 Oct 2011 20:24:40 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=utf-8 From: "Bjoern A. Zeeb" In-Reply-To: Date: Tue, 11 Oct 2011 20:24:39 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <3E6628B4-CABB-41C3-8630-681F08690ABF@lists.zabbadoz.net> References: <94876.1318358460.12206338191212019712@ffe11.ukr.net> To: Michael Proto X-Mailer: Apple Mail (2.1084) Cc: freebsd-pf@freebsd.org Subject: Re: Filtering inside IPSec tunnel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2011 20:24:44 -0000 On 11. Oct 2011, at 19:37 , Michael Proto wrote: > 2011/10/11 =D0=92=D0=B8=D1=82=D0=B0=D0=BB=D0=B8=D0=B9 = =D0=92=D0=BB=D0=B0=D0=B4=D0=B8=D0=BC=D0=B8=D1=80=D0=BE=D0=B2=D0=B8=D1=87 = : >>=20 >> I have the IPSec tunnel FreeBSD <-> CISCO. Tunnel works fine but I = can filtering traffic inside tunnel with PF. >>=20 >> pf.conf >>=20 >> ...... >>=20 >> ipsec_if=3D"gif0" >>=20 >> ....... >> block in all >> block out all >>=20 >> ### EXT_IF_OUT >>=20 >> pass out log quick on $ext_if inet from ($ext_if) to any modulate = state >>=20 >> ### EXT_IF_IN >>=20 >> pass in quick on $ext_if inet proto udp from $cisco to ($ext_if) port = 500 >> pass in quick on $ext_if inet proto {esp ah ipencap} from $cisco to = ($ext_if) >>=20 >> ### IPSec VPN INTERFACE >> #pass in quick on $ipsec_if inet from any to $ipsec_if >> #pass out quick on $ipsec_if inet from $ipsec_if to any >> block quick on $ipsec_if >>=20 >> But I still ping the second point of IPSec tunnel. >> Where is my mistake? >=20 > IIRC you also need the following in your kernel config: >=20 > options IPSEC_FILTERTUNNEL >=20 > (I think it used to be called IPSEC_FILTERGIF, depending on what > version of FreeBSD you're running) yes and there are sysctls these days: net.inet.ipsec.filtertunnel: 1 net.inet6.ipsec6.filtertunnel: 1 /bz --=20 Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. From owner-freebsd-pf@FreeBSD.ORG Wed Oct 12 04:50:04 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34DFB106564A for ; Wed, 12 Oct 2011 04:50:04 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe6.ukr.net (ffe6.ukr.net [195.214.192.56]) by mx1.freebsd.org (Postfix) with ESMTP id D3EAB8FC13 for ; Wed, 12 Oct 2011 04:50:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Date:Message-Id:From:To:References:In-Reply-To:Subject:Cc:Content-Type:Content-Transfer-Encoding:MIME-Version; bh=c7f4jJk1Nzs5s0QSYzmLaTSr8F3yGAFMeDgD5Fi8/Bg=; b=YPoehWrh/dvQ6N0DVwov2m+Jx3qPG0qcDlbl65LsDLBdH95gKYmsAlDIDUfgoa59qbZcCOQVuet7pDWFfi3f1olhSUWKRIdEfvLkSQzqS3GxG8ervZvV82skWKeQBskIaknIfCFDEhtKi0nt+fULUXE2BYo6eEuzWczhrlGijnE=; Received: from mail by ffe6.ukr.net with local ID 1RDqlV-000DjR-An ; Wed, 12 Oct 2011 07:50:01 +0300 MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: binary Content-Type: text/plain; charset="windows-1251" In-Reply-To: <3E6628B4-CABB-41C3-8630-681F08690ABF@lists.zabbadoz.net> References: <94876.1318358460.12206338191212019712@ffe11.ukr.net> <3E6628B4-CABB-41C3-8630-681F08690ABF@lists.zabbadoz.net> To: " Bjoern A. Zeeb" From: =?WINDOWS-1251?B?wujy4Ovo6SDC6+Dk6Ozo8O7i6Pc=?= X-Mailer: freemail.ukr.net 4.0 X-Originating-Ip: [195.200.251.65] Message-Id: <52623.1318395001.5638287628313755648@ffe6.ukr.net> X-Browser: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 Date: Wed, 12 Oct 2011 07:50:01 +0300 Cc: freebsd-pf@freebsd.org Subject: Re: Filtering inside IPSec tunnel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2011 04:50:04 -0000 --- Original Message --- From: " Bjoern A. Zeeb" To: " Michael Proto" Date: 11 October 2011, 23:24:39 Subject: Re: Filtering inside IPSec tunnel > On 11. Oct 2011, at 19:37 , Michael Proto wrote: > > > 2011/10/11 Виталий Владимирович : > >> > >> I have the IPSec tunnel FreeBSD <-> CISCO. Tunnel works fine but I can filtering traffic inside tunnel with PF. > >> > >> pf.conf > >> > >> ...... > >> > >> ipsec_if="gif0" > >> > >> ....... > >> block in all > >> block out all > >> > >> ### EXT_IF_OUT > >> > >> pass out log quick on $ext_if inet from ($ext_if) to any modulate state > >> > >> ### EXT_IF_IN > >> > >> pass in quick on $ext_if inet proto udp from $cisco to ($ext_if) port 500 > >> pass in quick on $ext_if inet proto {esp ah ipencap} from $cisco to ($ext_if) > >> > >> ### IPSec VPN INTERFACE > >> #pass in quick on $ipsec_if inet from any to $ipsec_if > >> #pass out quick on $ipsec_if inet from $ipsec_if to any > >> block quick on $ipsec_if > >> > >> But I still ping the second point of IPSec tunnel. > >> Where is my mistake? > > > > IIRC you also need the following in your kernel config: > > > > options IPSEC_FILTERTUNNEL > > > > (I think it used to be called IPSEC_FILTERGIF, depending on what > > version of FreeBSD you're running) > > > yes and there are sysctls these days: > > net.inet.ipsec.filtertunnel: 1 > net.inet6.ipsec6.filtertunnel: 1 > Thanks guys. It works fine! From owner-freebsd-pf@FreeBSD.ORG Sat Oct 15 14:20:57 2011 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 71E7E1065673; Sat, 15 Oct 2011 14:20:57 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4A2A08FC12; Sat, 15 Oct 2011 14:20:57 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p9FEKvcC026498; Sat, 15 Oct 2011 14:20:57 GMT (envelope-from glebius@freefall.freebsd.org) Received: (from glebius@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p9FEKulv026435; Sat, 15 Oct 2011 14:20:56 GMT (envelope-from glebius) Date: Sat, 15 Oct 2011 14:20:56 GMT Message-Id: <201110151420.p9FEKulv026435@freefall.freebsd.org> To: nerijus.ambrazas@ktu.lt, glebius@FreeBSD.org, freebsd-pf@FreeBSD.org From: glebius@FreeBSD.org Cc: Subject: Re: kern/114095: [carp] carp+pf delay with high state limit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Oct 2011 14:20:57 -0000 Synopsis: [carp] carp+pf delay with high state limit State-Changed-From-To: open->closed State-Changed-By: glebius State-Changed-When: Sat Oct 15 14:20:00 UTC 2011 State-Changed-Why: Not a bug. This is a feature. pfsync(4) suppresses carp(4) preemption until new recently booted node downloads full table of pf(4) states from its peer. http://www.freebsd.org/cgi/query-pr.cgi?pr=114095