Date: Wed, 28 Mar 2007 07:47:14 +0200 (CEST) From: Andre Albsmeier <Andre.Albsmeier@siemens.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/110959: Filtering incoming packets with enc0 does not work with GIF-based IPSec setups Message-ID: <200703280547.l2S5lEna008447@curry.mchp.siemens.de> Resent-Message-ID: <200703280610.l2S6A34u054504@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 110959 >Category: kern >Synopsis: Filtering incoming packets with enc0 does not work with GIF-based IPSec setups >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Mar 28 06:10:02 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Andre Albsmeier >Release: FreeBSD 6.2-STABLE i386 >Organization: >Environment: System: FreeBSD 6.2-STABLE #0: Tue Mar 20 09:54:57 CET 2007 ... options FAST_IPSEC device pf device pflog device gif device enc device random device crypto ... using a GIF-based IPSec connection and pf. >Description: When using GIF-based IPSec setups it is not possible to filter incoming packets using enc0 in pf. For example, adding a line pass quick log on enc0 all on top of all rules will log only outgoing packets. It does not matter if IPSEC_FILTERGIF has been compiled into the kernel or not. When using standard IPSec setups (without GIF-tunnels) everything works as it should (e.g., the above line will make all packets getting logged). >How-To-Repeat: Set up a GIF-based IPSec connection and pf, add above mentioned line on top of all rules and watch the logs (while sending packets over the link). >Fix: Currently unknown. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200703280547.l2S5lEna008447>