PF firewall does not examine incomming packet on ng_l2tp interface. ng_pppoe : examine. ng_l2tp : not examine. How-To-Repeat: Setup l2tp tunnel using net/mpd5. Connect from client. Write block PF rule on l2tp netgraph interface. block in quick on ngX inet from any to any pass out quick on ngX inet from any to any PF through the packets. Block rule not evalute. sudo pfctl -vvs -s Interfaces -i ngX
Responsible Changed From-To: freebsd-bugs->freebsd-net reclassify.
Hi, > PF firewall does not examine incomming packet on ng_l2tp interface. If your incoming packets are handled by IPSec before ng_l2tp your problem is explained in lists.freebsd.org/pipermail/freebsd-net/2012-January/031161.html -- Andreas Longwitz
In "Re: kern/169620: [ng] [pf] ng_l2tp incoming packet bypass pf firewall" at Thu, 02 Aug 2012 10:39:20 +0200 Andreas Longwitz <longwitz@incore.de> wrote: > Hi, >> PF firewall does not examine incomming packet on ng_l2tp interface. > > If your incoming packets are handled by IPSec before ng_l2tp your > problem is explained in Yes, handled by IPSec. > > lists.freebsd.org/pipermail/freebsd-net/2012-January/031161.html I will try it. Thanks.
Hi. In "Re: kern/169620: [ng] [pf] ng_l2tp incoming packet bypass pf firewall" at Thu, 02 Aug 2012 19:20:48 +0900 (JST) HASHI Hiroaki <hashiz@meridiani.jp> wrote: > In "Re: kern/169620: [ng] [pf] ng_l2tp incoming packet bypass pf firewall" at Thu, 02 Aug 2012 10:39:20 +0200 > Andreas Longwitz <longwitz@incore.de> wrote: >> Hi, >>> PF firewall does not examine incomming packet on ng_l2tp interface. >> >> If your incoming packets are handled by IPSec before ng_l2tp your >> problem is explained in > > Yes, handled by IPSec. > >> >> lists.freebsd.org/pipermail/freebsd-net/2012-January/031161.html > > I will try it. This patch work fine for me.
Responsible Changed From-To: freebsd-net->freebsd-pf Over to maintainer(s).
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped
*** This bug has been marked as a duplicate of bug 187566 ***
The patch given in bug 187566 has solved an other problem than the one discussed in this bug report. We still need the patch --- ng_l2tp.c.1st 2021-12-19 19:31:10.693840000 +0100 +++ ng_l2tp.c 2021-12-23 14:50:47.334147000 +0100 @@ -755,6 +755,7 @@ hookpriv_p hpriv = NULL; hook_p hook = NULL; struct mbuf *m; + struct m_tag *mtag; u_int16_t tid, sid; u_int16_t hdr; u_int16_t ns, nr; @@ -997,6 +998,11 @@ NG_FREE_M(m); ERROUT(0); } + + /* Delete an existing ipsec tag */ + mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); + if (mtag != NULL) + m_tag_delete(m, mtag); /* Deliver data */ NG_FWD_NEW_DATA(error, item, hook, m); The same issue for if_epair.c is solved in FreeBSD V12.3 calling a new statc function called epair_clear_mbuf(). commit ae23f081... Andreas