6.2-STABLE: enc0 sees only outgoing packets in pf
Andrew Thompson
thompsa at freebsd.org
Sat Mar 24 19:12:02 UTC 2007
On Sat, Mar 24, 2007 at 02:19:46PM +0100, Volker wrote:
> Andre,
>
> On 12/23/-58 20:59, Andre Albsmeier wrote:
> > [Retrying on -pf...]
> >
> > (This is FreeBSD 6.2-STABLE as of yesterday using pf and FAST_IPSEC.)
> >
> > Just to make things clear: IPSEC works (as it did for years), I'm
> > just not able to control the incoming packets with enc0 in pf.
>
> On the other side, I've played with device enc a few weeks ago and
> was asking for clarification on net@ but didn't get any reply.
>
> What's really strange is packets coming through an IPSec tunnel can
> be seen by pf on device enc but packets are still passing through
> even if device enc0 is down.
The code does check if the interface is running but if its not then just
passes the packet through unhindered. Do you think it should behave like
you describe where the packets are dropped?
See line 204, change the check to this
if ((encif->if_drv_flags & IFF_DRV_RUNNING) == 0) {
m_freem(*mp);
return (-1);
}
> So from my experience device enc currently is a bit strange in
> behavior (at least on -STABLE). Also AFAIR I haven't been able to
> block packets on device enc0 using pf. I suspect device enc is
> currently a bit of a hack and currently probably only useful for
> packet / connection logging but not for real firewalling. You might
> check out if you're able to block anything on enc0 (my memories
> might be wrong) and play with it a bit.
This should work as you say and if its not then thats a bug. Can you log
the packets with pflog to check they are being blocked.
Andrew
More information about the freebsd-pf
mailing list