kern/110959: Filtering incoming packets with enc0 does not work with GIF-based IPSec setups

Wed Mar 28 06:10:03 UTC 2007

>Number:         110959
>Category:       kern
>Synopsis:       Filtering incoming packets with enc0 does not work with GIF-based IPSec setups
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 28 06:10:02 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Andre Albsmeier
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
>Environment:

System: FreeBSD 6.2-STABLE #0: Tue Mar 20 09:54:57 CET 2007

...
options         FAST_IPSEC
device          pf
device          pflog
device          gif
device          enc
device          random
device          crypto
...

using a GIF-based IPSec connection and pf.

>Description:

When using GIF-based IPSec setups it is not possible to filter
incoming packets using enc0 in pf. For example, adding a line

pass quick log on enc0 all

on top of all rules will log only outgoing packets. It does not
matter if IPSEC_FILTERGIF has been compiled into the kernel or
not.

When using standard IPSec setups (without GIF-tunnels) everything
works as it should (e.g., the above line will make all packets
getting logged).

>How-To-Repeat:

Set up a GIF-based IPSec connection and pf, add above mentioned
line on top of all rules and watch the logs (while sending packets
over the link).

>Fix:

Currently unknown.
>Release-Note:
>Audit-Trail:
>Unformatted: