Date: Fri, 24 Jan 2014 08:20:00 GMT From: "a.v.volobuev@gmail.com" <a.v.volobuev@gmail.com> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating ipsec. example l2tp/ipsec Message-ID: <201401240820.s0O8K07F095355@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/185876; it has been noted by GNATS. From: "a.v.volobuev@gmail.com" <a.v.volobuev@gmail.com> To: bug-followup@FreeBSD.org, a.v.volobuev@gmail.com Cc: Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating ipsec. example l2tp/ipsec Date: Fri, 24 Jan 2014 14:25:59 +0600 This is a cryptographically signed message in MIME format. --------------ms070605050302040606090309 Content-Type: multipart/alternative; boundary="------------080309020405020503050500" This is a multi-part message in MIME format. --------------080309020405020503050500 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Also problem with pseudo interface enc(4). For example: # sysctl -a | i ipsec | i enc net.enc.in.ipsec_filter_mask: 2 net.enc.in.ipsec_bpf_mask: 2 net.enc.out.ipsec_filter_mask: 0 net.enc.out.ipsec_bpf_mask: 0 # tcpdump -n -i enc0 host 10.10.3.1 /14:07:09.516262 (authentic,confidential): SPI 0xced105ce: IP 10.10.3.1.58822 > 188.225.33.52.80: Flags [S], seq 317580935, win 13600, options [mss 1360,sackOK,TS val 3559730 ecr 0,nop,wscale 6], length /0 , but ipfw rule: ipfw add 10 nat 1 ip from 10.0.150.3/32 to any in not match --------------080309020405020503050500 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"content-type" content=3D"text/html; charset=3DISO= -8859-1"> </head> <body text=3D"#000000" bgcolor=3D"#FFFFFF"> Also problem with pseudo interface enc(4). For example:<br> # sysctl -a | i ipsec | i enc<br> net.enc.in.ipsec_filter_mask: 2<br> net.enc.in.ipsec_bpf_mask: 2<br> net.enc.out.ipsec_filter_mask: 0<br> net.enc.out.ipsec_bpf_mask: 0<br> # tcpdump -n -i enc0 host 10.10.3.1<br> <font color=3D"#003300"><i>14:07:09.516262 (authentic,confidential): SPI 0xced105ce: IP 10.10.3.1.58822 > 188.225.33.52.80: Flags [S], seq 317580935, win 13600, options [mss 1360,sackOK,TS val 3559730 ecr 0,nop,wscale 6], length </i>0</font><br> , but ipfw rule:<br> ipfw add 10 nat 1 ip from 10.0.150.3/32 to any in<br> not match<br> </body> </html> --------------080309020405020503050500-- --------------ms070605050302040606090309 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: Криптографическая подпись S/MIME MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIDlzCC A5MwggL2oAMCAQICCQDn42yJUQ9YQDAJBgcqhkjOPQQBMIHDMQswCQYDVQQGEwJSVTEaMBgG A1UECBMRU3ZlcmRsb3Zza2F5YU9ibC4xFTATBgNVBAcTDEVrYXRlcmluYnVyZzETMBEGA1UE ChMKU29sYXJpcy5WLjEVMBMGA1UECxMMSVQgRGVwYXJtZW50MS4wLAYDVQQDEyVTb2xhcmlz LlYuIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSUwIwYJKoZIhvcNAQkBFhZhLnYudm9s b2J1ZXZAZ21haWwuY29tMB4XDTEzMDYwNDIwNDUwMFoXDTE0MDYwNDIwNDUwMFowgbQxCzAJ BgNVBAYTAlJVMRowGAYDVQQIExFTdmVyZGxvdnNrYXlhT2JsLjETMBEGA1UEChMKU29sYXJp cy5WLjEVMBMGA1UECxMMSVQgRGVwYXJtZW50MR8wHQYDVQQDFBZhLnYudm9sb2J1ZXZAZ21h aWwuY29tMSUwIwYJKoZIhvcNAQkBFhZhLnYudm9sb2J1ZXZAZ21haWwuY29tMRUwEwYDVQQH EwxFa2F0ZXJpbmJ1cmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANheLWqKf9TkPaXU NAj8rMjEmO22BBcaajTr4sTRnCS2pFGoCNcXy0ndkJRN/A+8olgYEeek4GcjJoDd8MfzIcN/ uhjApevc8Tzj5BSj+GPDtQ2s9+1VjR9lo/TyoBa60tnD6ciRIb3cgk6C+nrJLbIkWPSAo3Rn Caze0LL0KAIzAgMBAAGjgZkwgZYwCQYDVR0TBAIwADAdBgNVHQ4EFgQU/7IGI3MTVNLcnWK9 nDbJ47W9xokwHwYDVR0jBBgwFoAUuZsUohloQPGGaxcO7ooNvFiA9l8wDgYDVR0PAQH/BAQD AgWgMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMEMCEGA1UdEQQaMBiBFmEudi52b2xvYnVldkBn bWFpbC5jb20wCQYHKoZIzj0EAQOBiwAwgYcCQSBcjSh5h+6/EGVpvtxZNZSgD8s9rgwRo/9I n/o20wh/0fAfYYUUYqDRJsXAtdjQNYlXcBrEuJLdiJ5rnbB06KE6AkIAhTZoTpbuBZLIEU4z /flnW573pYV0yJKxvUFqea08eeSjO35tUSF0O1Mnu/sDH3MdE/Jkc6B9sDErM4svTYTrwhcx ggQTMIIEDwIBATCB0TCBwzELMAkGA1UEBhMCUlUxGjAYBgNVBAgTEVN2ZXJkbG92c2theWFP YmwuMRUwEwYDVQQHEwxFa2F0ZXJpbmJ1cmcxEzARBgNVBAoTClNvbGFyaXMuVi4xFTATBgNV BAsTDElUIERlcGFybWVudDEuMCwGA1UEAxMlU29sYXJpcy5WLiBSb290IENlcnRpZmljYXRl IEF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWYS52LnZvbG9idWV2QGdtYWlsLmNvbQIJAOfj bIlRD1hAMAkGBSsOAwIaBQCgggKXMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI hvcNAQkFMQ8XDTE0MDEyNDA4MjU1OVowIwYJKoZIhvcNAQkEMRYEFHGZg1OO7OPiScRbdTu8 Yn6iB+WZMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggq hkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI hvcNAwICASgwgeIGCSsGAQQBgjcQBDGB1DCB0TCBwzELMAkGA1UEBhMCUlUxGjAYBgNVBAgT EVN2ZXJkbG92c2theWFPYmwuMRUwEwYDVQQHEwxFa2F0ZXJpbmJ1cmcxEzARBgNVBAoTClNv bGFyaXMuVi4xFTATBgNVBAsTDElUIERlcGFybWVudDEuMCwGA1UEAxMlU29sYXJpcy5WLiBS b290IENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWYS52LnZvbG9idWV2 QGdtYWlsLmNvbQIJAOfjbIlRD1hAMIHkBgsqhkiG9w0BCRACCzGB1KCB0TCBwzELMAkGA1UE BhMCUlUxGjAYBgNVBAgTEVN2ZXJkbG92c2theWFPYmwuMRUwEwYDVQQHEwxFa2F0ZXJpbmJ1 cmcxEzARBgNVBAoTClNvbGFyaXMuVi4xFTATBgNVBAsTDElUIERlcGFybWVudDEuMCwGA1UE AxMlU29sYXJpcy5WLiBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGCSqGSIb3DQEJ ARYWYS52LnZvbG9idWV2QGdtYWlsLmNvbQIJAOfjbIlRD1hAMA0GCSqGSIb3DQEBAQUABIGA j5cqxjhHPU5SG1S4Nacg2zXwK6+KzBaS6Iv3cMkBv31eRbr26XfZlpJVJZs+hTWwINO5q0Qv aMM9Q3rExkio6gO2l1bu9pwH4wLiX66v3uRC1xyzRkkC/F5l3oypwZ/gei2GSPjV3sIvHAHW Y9A4SPXab0LMUWGyz7hJZHQo/wkAAAAAAAA= --------------ms070605050302040606090309--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201401240820.s0O8K07F095355>