Date: Fri, 24 Jan 2014 08:20:00 GMT From: "a.v.volobuev@gmail.com" <a.v.volobuev@gmail.com> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating ipsec. example l2tp/ipsec Message-ID: <201401240820.s0O8K07F095355@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/185876; it has been noted by GNATS.
From: "a.v.volobuev@gmail.com" <a.v.volobuev@gmail.com>
To: bug-followup@FreeBSD.org, a.v.volobuev@gmail.com
Cc:
Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating
ipsec. example l2tp/ipsec
Date: Fri, 24 Jan 2014 14:25:59 +0600
This is a cryptographically signed message in MIME format.
--------------ms070605050302040606090309
Content-Type: multipart/alternative;
boundary="------------080309020405020503050500"
This is a multi-part message in MIME format.
--------------080309020405020503050500
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Also problem with pseudo interface enc(4). For example:
# sysctl -a | i ipsec | i enc
net.enc.in.ipsec_filter_mask: 2
net.enc.in.ipsec_bpf_mask: 2
net.enc.out.ipsec_filter_mask: 0
net.enc.out.ipsec_bpf_mask: 0
# tcpdump -n -i enc0 host 10.10.3.1
/14:07:09.516262 (authentic,confidential): SPI 0xced105ce: IP
10.10.3.1.58822 > 188.225.33.52.80: Flags [S], seq 317580935, win 13600,
options [mss 1360,sackOK,TS val 3559730 ecr 0,nop,wscale 6], length /0
, but ipfw rule:
ipfw add 10 nat 1 ip from 10.0.150.3/32 to any in
not match
--------------080309020405020503050500
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"content-type" content=3D"text/html; charset=3DISO=
-8859-1">
</head>
<body text=3D"#000000" bgcolor=3D"#FFFFFF">
Also problem with pseudo interface enc(4). For example:<br>
# sysctl -a | i ipsec | i enc<br>
net.enc.in.ipsec_filter_mask: 2<br>
net.enc.in.ipsec_bpf_mask: 2<br>
net.enc.out.ipsec_filter_mask: 0<br>
net.enc.out.ipsec_bpf_mask: 0<br>
# tcpdump -n -i enc0 host 10.10.3.1<br>
<font color=3D"#003300"><i>14:07:09.516262 (authentic,confidential):
SPI 0xced105ce: IP 10.10.3.1.58822 > 188.225.33.52.80: Flags
[S], seq 317580935, win 13600, options [mss 1360,sackOK,TS val
3559730 ecr 0,nop,wscale 6], length </i>0</font><br>
, but ipfw rule:<br>
ipfw add 10 nat 1 ip from 10.0.150.3/32 to any in<br>
not match<br>
</body>
</html>
--------------080309020405020503050500--
--------------ms070605050302040606090309
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: Криптографическая подпись S/MIME
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIDlzCC
A5MwggL2oAMCAQICCQDn42yJUQ9YQDAJBgcqhkjOPQQBMIHDMQswCQYDVQQGEwJSVTEaMBgG
A1UECBMRU3ZlcmRsb3Zza2F5YU9ibC4xFTATBgNVBAcTDEVrYXRlcmluYnVyZzETMBEGA1UE
ChMKU29sYXJpcy5WLjEVMBMGA1UECxMMSVQgRGVwYXJtZW50MS4wLAYDVQQDEyVTb2xhcmlz
LlYuIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSUwIwYJKoZIhvcNAQkBFhZhLnYudm9s
b2J1ZXZAZ21haWwuY29tMB4XDTEzMDYwNDIwNDUwMFoXDTE0MDYwNDIwNDUwMFowgbQxCzAJ
BgNVBAYTAlJVMRowGAYDVQQIExFTdmVyZGxvdnNrYXlhT2JsLjETMBEGA1UEChMKU29sYXJp
cy5WLjEVMBMGA1UECxMMSVQgRGVwYXJtZW50MR8wHQYDVQQDFBZhLnYudm9sb2J1ZXZAZ21h
aWwuY29tMSUwIwYJKoZIhvcNAQkBFhZhLnYudm9sb2J1ZXZAZ21haWwuY29tMRUwEwYDVQQH
EwxFa2F0ZXJpbmJ1cmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANheLWqKf9TkPaXU
NAj8rMjEmO22BBcaajTr4sTRnCS2pFGoCNcXy0ndkJRN/A+8olgYEeek4GcjJoDd8MfzIcN/
uhjApevc8Tzj5BSj+GPDtQ2s9+1VjR9lo/TyoBa60tnD6ciRIb3cgk6C+nrJLbIkWPSAo3Rn
Caze0LL0KAIzAgMBAAGjgZkwgZYwCQYDVR0TBAIwADAdBgNVHQ4EFgQU/7IGI3MTVNLcnWK9
nDbJ47W9xokwHwYDVR0jBBgwFoAUuZsUohloQPGGaxcO7ooNvFiA9l8wDgYDVR0PAQH/BAQD
AgWgMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMEMCEGA1UdEQQaMBiBFmEudi52b2xvYnVldkBn
bWFpbC5jb20wCQYHKoZIzj0EAQOBiwAwgYcCQSBcjSh5h+6/EGVpvtxZNZSgD8s9rgwRo/9I
n/o20wh/0fAfYYUUYqDRJsXAtdjQNYlXcBrEuJLdiJ5rnbB06KE6AkIAhTZoTpbuBZLIEU4z
/flnW573pYV0yJKxvUFqea08eeSjO35tUSF0O1Mnu/sDH3MdE/Jkc6B9sDErM4svTYTrwhcx
ggQTMIIEDwIBATCB0TCBwzELMAkGA1UEBhMCUlUxGjAYBgNVBAgTEVN2ZXJkbG92c2theWFP
YmwuMRUwEwYDVQQHEwxFa2F0ZXJpbmJ1cmcxEzARBgNVBAoTClNvbGFyaXMuVi4xFTATBgNV
BAsTDElUIERlcGFybWVudDEuMCwGA1UEAxMlU29sYXJpcy5WLiBSb290IENlcnRpZmljYXRl
IEF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWYS52LnZvbG9idWV2QGdtYWlsLmNvbQIJAOfj
bIlRD1hAMAkGBSsOAwIaBQCgggKXMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI
hvcNAQkFMQ8XDTE0MDEyNDA4MjU1OVowIwYJKoZIhvcNAQkEMRYEFHGZg1OO7OPiScRbdTu8
Yn6iB+WZMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggq
hkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI
hvcNAwICASgwgeIGCSsGAQQBgjcQBDGB1DCB0TCBwzELMAkGA1UEBhMCUlUxGjAYBgNVBAgT
EVN2ZXJkbG92c2theWFPYmwuMRUwEwYDVQQHEwxFa2F0ZXJpbmJ1cmcxEzARBgNVBAoTClNv
bGFyaXMuVi4xFTATBgNVBAsTDElUIERlcGFybWVudDEuMCwGA1UEAxMlU29sYXJpcy5WLiBS
b290IENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWYS52LnZvbG9idWV2
QGdtYWlsLmNvbQIJAOfjbIlRD1hAMIHkBgsqhkiG9w0BCRACCzGB1KCB0TCBwzELMAkGA1UE
BhMCUlUxGjAYBgNVBAgTEVN2ZXJkbG92c2theWFPYmwuMRUwEwYDVQQHEwxFa2F0ZXJpbmJ1
cmcxEzARBgNVBAoTClNvbGFyaXMuVi4xFTATBgNVBAsTDElUIERlcGFybWVudDEuMCwGA1UE
AxMlU29sYXJpcy5WLiBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGCSqGSIb3DQEJ
ARYWYS52LnZvbG9idWV2QGdtYWlsLmNvbQIJAOfjbIlRD1hAMA0GCSqGSIb3DQEBAQUABIGA
j5cqxjhHPU5SG1S4Nacg2zXwK6+KzBaS6Iv3cMkBv31eRbr26XfZlpJVJZs+hTWwINO5q0Qv
aMM9Q3rExkio6gO2l1bu9pwH4wLiX66v3uRC1xyzRkkC/F5l3oypwZ/gei2GSPjV3sIvHAHW
Y9A4SPXab0LMUWGyz7hJZHQo/wkAAAAAAAA=
--------------ms070605050302040606090309--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201401240820.s0O8K07F095355>