kern/97057: IPSEC + pf stateful filtering does not work "out of the
box"
Dmitry Andrianov
freebsd at dima.spb.ru
Tue May 9 22:00:33 UTC 2006
>Number: 97057
>Category: kern
>Synopsis: IPSEC + pf stateful filtering does not work "out of the box"
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue May 09 22:00:29 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Dmitry Andrianov
>Release: 6.0
>Organization:
DataArt
>Environment:
FreeBSD gw1 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Fri Jan 13 21:41:10 MSK 2006 root at gw1:/usr/src/sys/i386/compile/gw1 i386
>Description:
When IPSEC is configured according to handbook ( http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html ) but pf is used instead of ipfw, users experience very strange TCP connection stalls.
In addition to me experiencing that problem ( http://lists.freebsd.org/pipermail/freebsd-pf/2006-May/002129.html ) I believe following reports also refer the same problem I had:
http://lists.freebsd.org/pipermail/freebsd-net/2005-October/008812.html
http://lists.freebsd.org/pipermail/freebsd-net/2005-October/008745.html
The problem is caused by the fact PF can not properly track state because it does not see packets coming from the tunnel to gif interface. The problem is resolved by rebuilding kernel with IPSEC_FILTERGIF. And the real challenge is to find that solution because all the references to that option say that it is needed if you want filtering on gif. I do NOT want filtering on gif, I want filtering on other interfaces but it does not work either.
In my opinion, IPSEC_FILTERGIF option should be on by default. If it is absolutely unacceptable, documentation should be fixed to reflect "side effect" of enabling IPSEC/FAST_IPSEC without IPSEC_FILTERGIF
>How-To-Repeat:
Setup IPSEC according to handbook, use following pf ruleset:
pass in keep state
pass out keep state
>Fix:
Rebuild the kernel with IPSEC_FILTERGIF
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list