https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=232522
Bug ID: 232522
Summary: if_ipsec and pf doesn't work
Product: Base System
Version: 11.2-STABLE
Hardware: amd64
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: b...@freebsd.org
Reporter: peter.b...@bsd4all.org
Created attachment 198460
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=198460&action=edit
Superfluous addition of pfile hooks in if_ipsec.c
A VPN with if_ipsec VTI does not keep state with pf firewall. Below the
symptoms:
1. If the VTI is on the pf.conf "skip" list, everything works ok!
2. With a "block all" nothing goes out, so works ok!
3. When passing an ssh connection with
"pass out quick on ipsec0 from any to any port ssh keep state"
the ssh connections work, but drops very quickly. When I dump the pf state
table,
it is not ESTABLISHED/ESTABLISHED.
4. When I add pfil hooks to if_ipsec.c (see attached patch) everything works
ok, but
according to ae it is an additional call to the hook, which is probably why
#2 works
ok.
Systems is now running fine with my hack and is in production, but I can setup
a test system and get more info as well as debug.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
