[Bug 232522] if_ipsec and pf doesn't work
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Oct 22 09:46:31 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=232522
Bug ID: 232522
Summary: if_ipsec and pf doesn't work
Product: Base System
Version: 11.2-STABLE
Hardware: amd64
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: bugs at FreeBSD.org
Reporter: peter.blok at bsd4all.org
Created attachment 198460
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=198460&action=edit
Superfluous addition of pfile hooks in if_ipsec.c
A VPN with if_ipsec VTI does not keep state with pf firewall. Below the
symptoms:
1. If the VTI is on the pf.conf "skip" list, everything works ok!
2. With a "block all" nothing goes out, so works ok!
3. When passing an ssh connection with
"pass out quick on ipsec0 from any to any port ssh keep state"
the ssh connections work, but drops very quickly. When I dump the pf state
table,
it is not ESTABLISHED/ESTABLISHED.
4. When I add pfil hooks to if_ipsec.c (see attached patch) everything works
ok, but
according to ae it is an additional call to the hook, which is probably why
#2 works
ok.
Systems is now running fine with my hack and is in production, but I can setup
a test system and get more info as well as debug.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list