From nobody@FreeBSD.org  Tue May  9 21:57:28 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0E75616A52D
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  9 May 2006 21:57:28 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 343B443D60
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  9 May 2006 21:57:25 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k49LvPKB061510
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 9 May 2006 21:57:25 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k49LvPN1061507;
	Tue, 9 May 2006 21:57:25 GMT
	(envelope-from nobody)
Message-Id: <200605092157.k49LvPN1061507@www.freebsd.org>
Date: Tue, 9 May 2006 21:57:25 GMT
From: Dmitry Andrianov <freebsd@dima.spb.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: IPSEC + pf stateful filtering does not work "out of the box"
X-Send-Pr-Version: www-2.3

>Number:         97057
>Category:       kern
>Synopsis:       IPSEC + pf stateful filtering does not work "out of the box"
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    keramida
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue May 09 22:00:29 GMT 2006
>Closed-Date:    Mon Jun 26 13:07:56 GMT 2006
>Last-Modified:  Mon Jun 26 13:07:56 GMT 2006
>Originator:     Dmitry Andrianov
>Release:        6.0
>Organization:
DataArt
>Environment:
FreeBSD gw1 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Fri Jan 13 21:41:10 MSK 2006     root@gw1:/usr/src/sys/i386/compile/gw1  i386
>Description:
When IPSEC is configured according to handbook ( http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html ) but pf is used instead of ipfw, users experience very strange TCP connection stalls.

In addition to me experiencing that problem ( http://lists.freebsd.org/pipermail/freebsd-pf/2006-May/002129.html ) I believe following reports also refer the same problem I had:
http://lists.freebsd.org/pipermail/freebsd-net/2005-October/008812.html
http://lists.freebsd.org/pipermail/freebsd-net/2005-October/008745.html

The problem is caused by the fact PF can not properly track state because it does not see packets coming from the tunnel to gif interface. The problem is resolved by rebuilding kernel with IPSEC_FILTERGIF. And the real challenge is to find that solution because all the references to that option say that it is needed if you want filtering on gif. I do NOT want filtering on gif, I want filtering on other interfaces but it does not work either.

In my opinion, IPSEC_FILTERGIF option should be on by default. If it is absolutely unacceptable, documentation should be fixed to reflect "side effect" of enabling IPSEC/FAST_IPSEC without IPSEC_FILTERGIF
>How-To-Repeat:
Setup IPSEC according to handbook, use following pf ruleset:

pass in keep state
pass out keep state
>Fix:
Rebuild the kernel with IPSEC_FILTERGIF 
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Fri May 12 03:59:48 UTC 2006 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=97057 

From: "Dmitry Andrianov" <dimas@dataart.com>
To: <bug-followup@FreeBSD.org>,
	<freebsd@dima.spb.ru>
Cc:  
Subject: Re: kern/97057: IPSEC + pf stateful filtering does not work "out of the box"
Date: Fri, 12 May 2006 09:32:53 +0400

 > Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
 
 I would not say this is a bug in pf.
 It is more like improper kernel configuration used "by default".
  
 Regards,
 Dmitry Andrianov

From: linimon@lonesome.com (Mark Linimon)
To: bug-followup@FreeBSD.org
Cc:  
Subject: kern/97057: IPSEC + pf needs note?
Date: Sat, 3 Jun 2006 17:38:04 -0500

 ----- Forwarded message from Max Laier <max@love2party.net> -----
 
 anyone up for taking responsibility for this?  I don't think we should change 
 GENERIC for it, but it should clearly be documented somewhere somehow.  
 Thanks.
State-Changed-From-To: open->closed 
State-Changed-By: keramida 
State-Changed-When: Mon Jun 26 13:06:42 UTC 2006 
State-Changed-Why:  
I added a note about this in revision 1.296 of 
doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v 

Thanks :) 



Responsible-Changed-From-To: freebsd-pf->keramida 
Responsible-Changed-By: keramida 
Responsible-Changed-When: Mon Jun 26 13:06:42 UTC 2006 
Responsible-Changed-Why:  

http://www.freebsd.org/cgi/query-pr.cgi?pr=97057 
>Unformatted:
