pf not seeing inbound packets coming from IPSec on epair interface
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Mon Jan 18 16:27:45 UTC 2016
> On 18 Jan 2016, at 16:13 , Andreas Longwitz <longwitz at incore.de> wrote:
>
> in the situation
> IPSec --> epair0a --> epair0b
> pf does not see inbound packets on the interface epair0b, because the
> epair driver does not clear the flag PACKET_TAG_IPSEC_IN_DONE when he
> transfers a packet from epair0a to epair0b. The following patch for
> FreeBSD 10 works for me and is adapted from
> lists.freebsd.org/pipermail/freebsd-net/2012-January/031161.html:
Where does epair get the packet from? A physical interface bridged to epair?
If anything should clear that; I guess it’s the bridge interface?
Hmm, but then if you are using epairs to cross between network stacks, you are changing boundries, indeed, so if you’d run ipsec on a single epair between two VNETs, that might be interesting as well?
I guess we’ll need to find a couple of these places (epair, bridge, netgraph, …) and make sure we strip all of the tags IFF we change the VNET?
/bz
More information about the freebsd-net
mailing list