Bug 110959

Summary: [ipsec] Filtering incoming packets with enc0 does not work with GIF-based IPSec setups
Product: Base System Reporter: Andre.Albsmeier
Component: kernAssignee: Andrey V. Elsukov <ae>
Status: Closed FIXED    
Severity: Affects Only Me CC: ae
Priority: Normal Flags: bugmeister: mfc-stable10?
bugmeister: mfc-stable9?
bugmeister: mfc-stable8?
Version: 6.2-STABLE   
Hardware: Any   
OS: Any   

Description Andre.Albsmeier 2007-03-28 07:10:02 UTC 
When using GIF-based IPSec setups it is not possible to filter
incoming packets using enc0 in pf. For example, adding a line

pass quick log on enc0 all

on top of all rules will log only outgoing packets. It does not
matter if IPSEC_FILTERGIF has been compiled into the kernel or
not.

When using standard IPSec setups (without GIF-tunnels) everything
works as it should (e.g., the above line will make all packets
getting logged).

Fix: 

Currently unknown.
How-To-Repeat: 
Set up a GIF-based IPSec connection and pf, add above mentioned
line on top of all rules and watch the logs (while sending packets
over the link).
Comment 1 Remko Lodder freebsd_committer freebsd_triage 2007-03-28 07:57:07 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-net

Networking issue
Comment 2 Bjoern A. Zeeb freebsd_committer freebsd_triage 2007-12-31 11:33:55 UTC 
Hi,

could you test with HEAD (not 6 or 7, changes not there) and let me know
if it works there? You may need to tweak the sysctls documented in enc(4).

-- 
Bjoern A. Zeeb                                 bzeeb at Zabbadoz dot NeT
Software is harder than hardware  so better get it right the first time.
Comment 3 Bjoern A. Zeeb freebsd_committer freebsd_triage 2007-12-31 11:34:10 UTC 
State Changed
From-To: open->feedback

There are patches in HEAD already - asked for feedback if they are 
doing the right thing.
Comment 4 Bjoern A. Zeeb freebsd_committer freebsd_triage 2007-12-31 11:34:10 UTC 
Responsible Changed
From-To: freebsd-net->bz

I have been touching enc(4) lately so let's see if that helped 
or we need to fix that.
Comment 5 Andre.Albsmeier 2007-12-31 12:23:49 UTC 
On Mon, 31-Dec-2007 at 11:33:55 +0000, Bjoern A. Zeeb wrote:
> Hi,
> 
> could you test with HEAD (not 6 or 7, changes not there) and let me know

Unfortunately, no (no -current available). Maybe I can
patch STABLE-6 myself? Or do you think the diffs won't
apply cleanly?
Comment 6 Bjoern A. Zeeb freebsd_committer freebsd_triage 2008-01-03 00:59:49 UTC 
On Mon, 31 Dec 2007, Andre Albsmeier wrote:

> On Mon, 31-Dec-2007 at 11:33:55 +0000, Bjoern A. Zeeb wrote:
>> Hi,
>>
>> could you test with HEAD (not 6 or 7, changes not there) and let me know
>
> Unfortunately, no (no -current available). Maybe I can
> patch STABLE-6 myself? Or do you think the diffs won't
> apply cleanly?

No, it didn't.

I have put an entirely untested (not even compile time tested) patch at
http://sources.zabbadoz.net/freebsd/patchset/patch-20080103-01-if_enc_sysctls-RELENG_6.diff

Could you give it a try on a test system? In case there are problems,
let me know.

/bz

-- 
Bjoern A. Zeeb                                 bzeeb at Zabbadoz dot NeT
Software is harder than hardware  so better get it right the first time.
Comment 7 Andre.Albsmeier 2008-01-03 06:43:27 UTC 
On Thu, 03-Jan-2008 at 00:59:49 +0000, Bjoern A. Zeeb wrote:
> 
> I have put an entirely untested (not even compile time tested) patch at
> http://sources.zabbadoz.net/freebsd/patchset/patch-20080103-01-if_enc_sysctls-RELENG_6.diff
> 
> Could you give it a try on a test system? In case there are problems,
> let me know.

I can but it will take a bit (the machine which experienced the
problem doesn't do IPSec anymore and my others are non-GIF based).
I suggest keeping the patch online -- maybe someone else can jump
in here before I do...

Thanks,

	-Andre
Comment 8 Bjoern A. Zeeb freebsd_committer freebsd_triage 2008-03-22 16:17:52 UTC 
Hi,

going back through the list of PRs I think this is directly related to
the observations documented in PR kern/121642 .

Can you confirm that you had been using tunnel mode with gif?
In case you did not and it was transport mode this is a different issue.

-- 
Bjoern A. Zeeb                                 bzeeb at Zabbadoz dot NeT
Software is harder than hardware  so better get it right the first time.
Comment 9 Andre.Albsmeier 2008-03-23 08:56:02 UTC 
On Sat, 22-Mar-2008 at 16:17:52 +0000, Bjoern A. Zeeb wrote:
> Hi,
> 
> going back through the list of PRs I think this is directly related to
> the observations documented in PR kern/121642 .
> 
> Can you confirm that you had been using tunnel mode with gif?

Yes, I had to use this setup since it was dictated from
the other side. However, this setup doesn't exist anymore
so I can't tell if things have changed.

Feel free to suspend this PR since I can't provide feedback
about patches :-(

Thanks,

	-Andre

> In case you did not and it was transport mode this is a different issue.
> 
> -- 
> Bjoern A. Zeeb                                 bzeeb at Zabbadoz dot NeT
> Software is harder than hardware  so better get it right the first time.
Comment 10 Bjoern A. Zeeb freebsd_committer freebsd_triage 2014-05-18 06:04:12 UTC 
Responsible Changed
From-To: bz->gnn

I shall not use bugzilla (at least until we will have a CLI).
Comment 11 commit-hook freebsd_committer freebsd_triage 2014-10-07 13:31:11 UTC 
A commit references this bug:

Author: ae
Date: Tue Oct  7 13:31:05 UTC 2014
New revision: 272695
URL: https://svnweb.freebsd.org/changeset/base/272695

Log:
  Our packet filters use mbuf's rcvif pointer to determine incoming interface.
  Change mbuf's rcvif to enc0 and restore it after pfil processing.

  PR:		110959
  Sponsored by:	Yandex LLC

Changes:
  head/sys/net/if_enc.c
Comment 12 Andrey V. Elsukov freebsd_committer freebsd_triage 2014-10-07 13:32:23 UTC 
Patched in head/.
Comment 13 Glen Barber freebsd_committer freebsd_triage 2015-07-08 18:02:27 UTC 
Close PRs that have had a corresponding fix committed.