From Andre.Albsmeier@siemens.com  Wed Mar 28 06:08:42 2007
Return-Path: <Andre.Albsmeier@siemens.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 9025916A400
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 28 Mar 2007 06:08:42 +0000 (UTC)
	(envelope-from Andre.Albsmeier@siemens.com)
Received: from goliath.siemens.de (goliath.siemens.de [192.35.17.28])
	by mx1.freebsd.org (Postfix) with ESMTP id 223E613C4B0
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 28 Mar 2007 06:08:41 +0000 (UTC)
	(envelope-from Andre.Albsmeier@siemens.com)
Received: from mail3.siemens.de (localhost [127.0.0.1])
	by goliath.siemens.de (8.12.6/8.12.6) with ESMTP id l2S5lF3b015410
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 28 Mar 2007 07:47:15 +0200
Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.40.130])
	by mail3.siemens.de (8.12.6/8.12.6) with ESMTP id l2S5lEV8027286
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 28 Mar 2007 07:47:14 +0200
Received: (from localhost)
	by curry.mchp.siemens.de (8.13.8/8.13.8) id l2S5lEew001272
	for FreeBSD-gnats-submit@freebsd.org; Wed, 28 Mar 2007 07:47:14 +0200 (CEST)
Message-Id: <200703280547.l2S5lEna008447@curry.mchp.siemens.de>
Date: Wed, 28 Mar 2007 07:47:14 +0200 (CEST)
From: Andre Albsmeier <Andre.Albsmeier@siemens.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Filtering incoming packets with enc0 does not work with GIF-based IPSec setups
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         110959
>Category:       kern
>Synopsis:       [ipsec] Filtering incoming packets with enc0 does not work with GIF-based IPSec setups
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gnn
>State:          feedback
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 28 06:10:02 GMT 2007
>Closed-Date:    
>Last-Modified:  Sun May 18 05:04:28 UTC 2014
>Originator:     Andre Albsmeier
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
>Environment:

System: FreeBSD 6.2-STABLE #0: Tue Mar 20 09:54:57 CET 2007

...
options         FAST_IPSEC
device          pf
device          pflog
device          gif
device          enc
device          random
device          crypto
...

using a GIF-based IPSec connection and pf.

>Description:

When using GIF-based IPSec setups it is not possible to filter
incoming packets using enc0 in pf. For example, adding a line

pass quick log on enc0 all

on top of all rules will log only outgoing packets. It does not
matter if IPSEC_FILTERGIF has been compiled into the kernel or
not.

When using standard IPSec setups (without GIF-tunnels) everything
works as it should (e.g., the above line will make all packets
getting logged).

>How-To-Repeat:

Set up a GIF-based IPSec connection and pf, add above mentioned
line on top of all rules and watch the logs (while sending packets
over the link).

>Fix:

Currently unknown.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: remko 
Responsible-Changed-When: Wed Mar 28 06:57:07 UTC 2007 
Responsible-Changed-Why:  
Networking issue 

http://www.freebsd.org/cgi/query-pr.cgi?pr=110959 
State-Changed-From-To: open->feedback 
State-Changed-By: bz 
State-Changed-When: Mon Dec 31 11:34:10 UTC 2007 
State-Changed-Why:  
There are patches in HEAD already - asked for feedback if they are 
doing the right thing. 


Responsible-Changed-From-To: freebsd-net->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Mon Dec 31 11:34:10 UTC 2007 
Responsible-Changed-Why:  
I have been touching enc(4) lately so let's see if that helped 
or we need to fix that. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=110959 

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, Andre.Albsmeier@siemens.com
Cc:  
Subject: Re: kern/110959: [ipsec] Filtering incoming packets with enc0 does
 not work with GIF-based IPSec setups
Date: Mon, 31 Dec 2007 11:33:55 +0000 (UTC)

 Hi,
 
 could you test with HEAD (not 6 or 7, changes not there) and let me know
 if it works there? You may need to tweak the sysctls documented in enc(4).
 
 -- 
 Bjoern A. Zeeb                                 bzeeb at Zabbadoz dot NeT
 Software is harder than hardware  so better get it right the first time.

From: Andre Albsmeier <Andre.Albsmeier@siemens.com>
To: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Cc: bug-followup@FreeBSD.org, Andre.Albsmeier@siemens.com
Subject: Re: kern/110959: [ipsec] Filtering incoming packets with enc0 does
	not work with GIF-based IPSec setups
Date: Mon, 31 Dec 2007 13:23:49 +0100

 On Mon, 31-Dec-2007 at 11:33:55 +0000, Bjoern A. Zeeb wrote:
 > Hi,
 > 
 > could you test with HEAD (not 6 or 7, changes not there) and let me know
 
 Unfortunately, no (no -current available). Maybe I can
 patch STABLE-6 myself? Or do you think the diffs won't
 apply cleanly?

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: Andre Albsmeier <Andre.Albsmeier@siemens.com>
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/110959: [ipsec] Filtering incoming packets with enc0 does
 not work with GIF-based IPSec setups
Date: Thu, 3 Jan 2008 00:59:49 +0000 (UTC)

 On Mon, 31 Dec 2007, Andre Albsmeier wrote:
 
 > On Mon, 31-Dec-2007 at 11:33:55 +0000, Bjoern A. Zeeb wrote:
 >> Hi,
 >>
 >> could you test with HEAD (not 6 or 7, changes not there) and let me know
 >
 > Unfortunately, no (no -current available). Maybe I can
 > patch STABLE-6 myself? Or do you think the diffs won't
 > apply cleanly?
 
 No, it didn't.
 
 I have put an entirely untested (not even compile time tested) patch at
 http://sources.zabbadoz.net/freebsd/patchset/patch-20080103-01-if_enc_sysctls-RELENG_6.diff
 
 Could you give it a try on a test system? In case there are problems,
 let me know.
 
 /bz
 
 -- 
 Bjoern A. Zeeb                                 bzeeb at Zabbadoz dot NeT
 Software is harder than hardware  so better get it right the first time.

From: Andre Albsmeier <Andre.Albsmeier@siemens.com>
To: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Cc: Andre Albsmeier <Andre.Albsmeier@siemens.com>, bug-followup@FreeBSD.org
Subject: Re: kern/110959: [ipsec] Filtering incoming packets with enc0 does
	not work with GIF-based IPSec setups
Date: Thu, 3 Jan 2008 07:43:27 +0100

 On Thu, 03-Jan-2008 at 00:59:49 +0000, Bjoern A. Zeeb wrote:
 > 
 > I have put an entirely untested (not even compile time tested) patch at
 > http://sources.zabbadoz.net/freebsd/patchset/patch-20080103-01-if_enc_sysctls-RELENG_6.diff
 > 
 > Could you give it a try on a test system? In case there are problems,
 > let me know.
 
 I can but it will take a bit (the machine which experienced the
 problem doesn't do IPSec anymore and my others are non-GIF based).
 I suggest keeping the patch online -- maybe someone else can jump
 in here before I do...
 
 Thanks,
 
 	-Andre
 

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, Andre.Albsmeier@siemens.com
Cc:  
Subject: Re: kern/110959: [ipsec] Filtering incoming packets with enc0 does
 not work with GIF-based IPSec setups
Date: Sat, 22 Mar 2008 16:17:52 +0000 (UTC)

 Hi,
 
 going back through the list of PRs I think this is directly related to
 the observations documented in PR kern/121642 .
 
 Can you confirm that you had been using tunnel mode with gif?
 In case you did not and it was transport mode this is a different issue.
 
 -- 
 Bjoern A. Zeeb                                 bzeeb at Zabbadoz dot NeT
 Software is harder than hardware  so better get it right the first time.

From: Andre Albsmeier <Andre.Albsmeier@siemens.com>
To: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Cc: bug-followup@FreeBSD.org, Andre.Albsmeier@siemens.com
Subject: Re: kern/110959: [ipsec] Filtering incoming packets with enc0 does
	not work with GIF-based IPSec setups
Date: Sun, 23 Mar 2008 09:56:02 +0100

 On Sat, 22-Mar-2008 at 16:17:52 +0000, Bjoern A. Zeeb wrote:
 > Hi,
 > 
 > going back through the list of PRs I think this is directly related to
 > the observations documented in PR kern/121642 .
 > 
 > Can you confirm that you had been using tunnel mode with gif?
 
 Yes, I had to use this setup since it was dictated from
 the other side. However, this setup doesn't exist anymore
 so I can't tell if things have changed.
 
 Feel free to suspend this PR since I can't provide feedback
 about patches :-(
 
 Thanks,
 
 	-Andre
 
 > In case you did not and it was transport mode this is a different issue.
 > 
 > -- 
 > Bjoern A. Zeeb                                 bzeeb at Zabbadoz dot NeT
 > Software is harder than hardware  so better get it right the first time.
Responsible-Changed-From-To: bz->gnn 
Responsible-Changed-By: bz 
Responsible-Changed-When: Sun May 18 05:04:12 UTC 2014 
Responsible-Changed-Why:  
I shall not use bugzilla (at least until we will have a CLI). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=110959 
>Unformatted:
