IPsec filtertunnel broken on FreeBSD 10
Alexander V. Chernikov
melifaro at FreeBSD.org
Fri Feb 7 05:54:51 UTC 2014
On 07.02.2014 02:21, Nicolas DEFFAYET wrote:
> Hello,
>
> The IPsec filtertunnel is broken on FreeBSD 10: incoming packets
> decapsulated are not going to firewall and to the pseudo interface enc.
>
> This issue affect 10.0-RELEASE and 10.0-STABLE.
> 9.1-RELEASE and 9.2-RELEASE are not affected.
>
> Of course the systctl show that filtertunnel is enabled:
> net.inet.ipsec.filtertunnel=1
> net.inet6.ipsec.filtertunnel=1
>
> This issue is serious as it's not possible to use firewall (ipfw/pf) for
> secure a gre/gif/l2tp IPsec tunnel as the incoming packets decapsulated
> are not seen by the firewall.
>
> Many peoples have reported the issue on forums.freebsd.org and a bug
> report have been open:
> http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/185876
>
> For try to provide a fix, i have run a diff on kernel source on net,
> netinet, netinet6 and netipsec folders between 9.2-RELEASE and
> 10.0-RELEASE but I didn't have found what change can break IPsec
> filtertunnel.
>
>
> Any expert or people knowing the code can help us please ?
I'll take a look on this today.
>
>
> Many thanks !
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20140207/32c1d06f/attachment.sig>
More information about the freebsd-net
mailing list