From hashiz@tomba.meridiani.jp  Tue Jul  3 01:44:00 2012
Return-Path: <hashiz@tomba.meridiani.jp>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id A69571065673
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  3 Jul 2012 01:44:00 +0000 (UTC)
	(envelope-from hashiz@tomba.meridiani.jp)
Received: from smtp.jupiter.ocn.ne.jp (jupiter.ocn.ne.jp [122.28.30.171])
	by mx1.freebsd.org (Postfix) with ESMTP id 572068FC0A
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  3 Jul 2012 01:44:00 +0000 (UTC)
Received: from tomba.meridiani.jp (p28170-ipngn1601funabasi.chiba.ocn.ne.jp [153.129.135.170])
	by smtp.jupiter.ocn.ne.jp (Postfix) with ESMTP id 0771B2990
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  3 Jul 2012 10:12:31 +0900 (JST)
Received: from tomba.meridiani.jp (localhost.meridiani.jp [127.0.0.1])
	by tomba.meridiani.jp (8.14.5/8.14.5) with ESMTP id q631CUjL008768
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 3 Jul 2012 10:12:30 +0900 (JST)
	(envelope-from hashiz@tomba.meridiani.jp)
Received: (from hashiz@localhost)
	by tomba.meridiani.jp (8.14.5/8.14.5/Submit) id q631CUY3008767;
	Tue, 3 Jul 2012 10:12:30 +0900 (JST)
	(envelope-from hashiz)
Message-Id: <201207030112.q631CUY3008767@tomba.meridiani.jp>
Date: Tue, 3 Jul 2012 10:12:30 +0900 (JST)
From: HASHI Hiroaki <hashiz@meridiani.jp>
To: FreeBSD-gnats-submit@freebsd.org
Subject: ng_l2tp incomming packet bypass pf firewall
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         169620
>Category:       kern
>Synopsis:       [ng] [pf] ng_l2tp incoming packet bypass pf firewall
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-pf
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 03 01:50:08 UTC 2012
>Closed-Date:    
>Last-Modified:  Sun May 04 04:51:01 UTC 2014
>Originator:     HASHI Hiroaki
>Release:        FreeBSD 8.3-STABLE i386
>Organization:
>Environment:
System: FreeBSD tomba.meridiani.jp 8.3-STABLE FreeBSD 8.3-STABLE #33: Mon Jul 2 01:44:40 JST 2012 hashiz@stenmark.meridiani.jp:/usr/obj/usr/src/sys/TOMBA i386

l2tp daemon: net/mpd5

	
>Description:
PF firewall does not examine incomming packet on ng_l2tp interface.
ng_pppoe : examine.
ng_l2tp  : not examine.

	
>How-To-Repeat:

Setup l2tp tunnel using net/mpd5.

Connect from client.

Write block PF rule on l2tp netgraph interface.
    block in quick on ngX inet from any to any
    pass  out quick on ngX inet from any to any

PF through the packets. Block rule not evalute.
    sudo pfctl -vvs -s Interfaces -i ngX



	
>Fix:

	


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon Jul 16 02:54:51 UTC 2012 
Responsible-Changed-Why:  
reclassify. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=169620 

From: Andreas Longwitz <longwitz@incore.de>
To: bug-followup@freebsd.org, hashiz@meridiani.jp
Cc:  
Subject: Re: kern/169620: [ng] [pf] ng_l2tp incoming packet bypass pf firewall
Date: Thu, 02 Aug 2012 10:39:20 +0200

 Hi,
 > PF firewall does not examine incomming packet on ng_l2tp interface.
 
 If your incoming packets are handled by IPSec before ng_l2tp your
 problem is explained in
 
    lists.freebsd.org/pipermail/freebsd-net/2012-January/031161.html
 
 -- 
 Andreas Longwitz
 

From: HASHI Hiroaki <hashiz@meridiani.jp>
To: longwitz@incore.de
Cc: bug-followup@freebsd.org
Subject: Re: kern/169620: [ng] [pf] ng_l2tp incoming packet bypass pf
 firewall
Date: Thu, 02 Aug 2012 19:20:48 +0900 (JST)

 In "Re: kern/169620: [ng] [pf] ng_l2tp incoming packet bypass pf firewall" at Thu, 02 Aug 2012 10:39:20 +0200
  Andreas Longwitz <longwitz@incore.de>  wrote:
 > Hi,
 >> PF firewall does not examine incomming packet on ng_l2tp interface.
 > 
 > If your incoming packets are handled by IPSec before ng_l2tp your
 > problem is explained in
 
 Yes, handled by IPSec.
 
 > 
 >    lists.freebsd.org/pipermail/freebsd-net/2012-January/031161.html
 
 I will try it.
 
 Thanks.

From: HASHI Hiroaki (=?iso-2022-jp?B?GyRCNjYbKEIgGyRCOSg+NBsoQg==?=)
 <hashiz@meridiani.jp>
To: longwitz@incore.de
Cc: bug-followup@freebsd.org
Subject: Re: kern/169620: [ng] [pf] ng_l2tp incoming packet bypass pf
 firewall
Date: Fri, 03 Aug 2012 12:39:15 +0900 (JST)

 Hi.
 
 In "Re: kern/169620: [ng] [pf] ng_l2tp incoming packet bypass pf firewall" at Thu, 02 Aug 2012 19:20:48 +0900 (JST)
  HASHI Hiroaki <hashiz@meridiani.jp>  wrote:
 > In "Re: kern/169620: [ng] [pf] ng_l2tp incoming packet bypass pf firewall" at Thu, 02 Aug 2012 10:39:20 +0200
 >  Andreas Longwitz <longwitz@incore.de>  wrote:
 >> Hi,
 >>> PF firewall does not examine incomming packet on ng_l2tp interface.
 >> 
 >> If your incoming packets are handled by IPSec before ng_l2tp your
 >> problem is explained in
 > 
 > Yes, handled by IPSec.
 > 
 >> 
 >>    lists.freebsd.org/pipermail/freebsd-net/2012-January/031161.html
 > 
 > I will try it.
 
 This patch work fine for me.
Responsible-Changed-From-To: freebsd-net->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun May 4 04:50:27 UTC 2014 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=169620 
>Unformatted:
