kern/110959: Filtering incoming packets with enc0 does not work
with GIF-based IPSec setups
Andre Albsmeier
Andre.Albsmeier at siemens.com
Wed Mar 28 06:10:03 UTC 2007
>Number: 110959
>Category: kern
>Synopsis: Filtering incoming packets with enc0 does not work with GIF-based IPSec setups
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Mar 28 06:10:02 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Andre Albsmeier
>Release: FreeBSD 6.2-STABLE i386
>Organization:
>Environment:
System: FreeBSD 6.2-STABLE #0: Tue Mar 20 09:54:57 CET 2007
...
options FAST_IPSEC
device pf
device pflog
device gif
device enc
device random
device crypto
...
using a GIF-based IPSec connection and pf.
>Description:
When using GIF-based IPSec setups it is not possible to filter
incoming packets using enc0 in pf. For example, adding a line
pass quick log on enc0 all
on top of all rules will log only outgoing packets. It does not
matter if IPSEC_FILTERGIF has been compiled into the kernel or
not.
When using standard IPSec setups (without GIF-tunnels) everything
works as it should (e.g., the above line will make all packets
getting logged).
>How-To-Repeat:
Set up a GIF-based IPSec connection and pf, add above mentioned
line on top of all rules and watch the logs (while sending packets
over the link).
>Fix:
Currently unknown.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list