From nobody@FreeBSD.org  Thu Jul 23 16:49:56 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6668C1065693
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 23 Jul 2009 16:49:56 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 3A5AF8FC19
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 23 Jul 2009 16:49:56 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n6NGntrp089667
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 23 Jul 2009 16:49:55 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n6NGntBl089666;
	Thu, 23 Jul 2009 16:49:55 GMT
	(envelope-from nobody)
Message-Id: <200907231649.n6NGntBl089666@www.freebsd.org>
Date: Thu, 23 Jul 2009 16:49:55 GMT
From: Ingo Flaschberger <if@xip.at>
To: freebsd-gnats-submit@FreeBSD.org
Subject: fastforwarding breaks ipsec
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         137036
>Category:       kern
>Synopsis:       [ipsec] fastforwarding breaks ipsec
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bz
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 23 17:00:04 UTC 2009
>Closed-Date:    Sat Jul 25 19:42:10 UTC 2009
>Last-Modified:  Sat Jul 25 19:42:10 UTC 2009
>Originator:     Ingo Flaschberger
>Release:        7.2-STABLE
>Organization:
>Environment:
FreeBSD  7.2-STABLE FreeBSD 7.2-STABLE #13: Thu Jul 23 13:40:58 UTC 2009     root@xxxxx:/usr/obj/usr/src/sys/ROUTER  i386
>Description:
When fastforwarding is enabled, packets directed to a ipsec-link are not passed to ipsec but routed (not encrypted) via the suitable route.
setkey - sa's are ignored

>How-To-Repeat:
sysctl -w net.inet.ip.fastforwarding=1

>Fix:
sysctl -w net.inet.ip.fastforwarding=0

>Release-Note:
>Audit-Trail:

From: Florian Smeets <flo@kasimir.com>
To: bug-followup@FreeBSD.org, if@xip.at
Cc:  
Subject: Re: kern/137036: fastforwarding breaks ipsec
Date: Fri, 24 Jul 2009 10:13:25 +0200

 This is know and documented in inet(4):
 
 
                             All features of the normal (slow) IP forwarding
                             path are supported including firewall (through
                             pfil(9) hooks) checking, except ipsec(4) tunnel
                             brokering.  The IP fastforwarding path does not
                             generate ICMP redirect or source quench 
 messages.
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Jul 25 01:30:44 UTC 2009 
Responsible-Changed-Why:  
Apparently this is documented behavior. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=137036 
State-Changed-From-To: open->closed 
State-Changed-By: bz 
State-Changed-When: Sat Jul 25 19:41:06 UTC 2009 
State-Changed-Why:  
Works as expected.  I admit that inet(4) is probably not the 
best place to look for the description butat least it's there. 


Responsible-Changed-From-To: freebsd-net->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Sat Jul 25 19:41:06 UTC 2009 
Responsible-Changed-Why:  
Take in case of follow-ups. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=137036 
>Unformatted:
