in the situation
IPSec --> epair0a --> epair0b
pf does not see inbound packets on the interface epair0b, because the
epair driver does not clear the flag PACKET_TAG_IPSEC_IN_DONE when he
transfers a packet from epair0a to epair0b. The following patch for
FreeBSD 10 works for me and is adapted from
lists.freebsd.org/pipermail/freebsd-net/2012-January/031161.html:
--- if_epair.c.1st 2015-03-13 12:06:49.000000000 +0100
+++ if_epair.c 2016-01-18 17:07:14.911942000 +0100
@@ -469,6 +469,7 @@
struct ifnet *oifp;
int error, len;
short mflags;
+ struct m_tag *mtag;
DPRINTF("ifp=%p m=%p\n", ifp, m);
sc = ifp->if_softc;
@@ -510,6 +511,11 @@
mflags = m->m_flags;
DPRINTF("packet %s -> %s\n", ifp->if_xname, oifp->if_xname);
+ /* Delete an existing ipsec tag */
+ mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
+ if (mtag != NULL)
+ m_tag_delete(m, mtag);
+
#ifdef ALTQ
/* Support ALTQ via the clasic if_start() path. */
IF_LOCK(&ifp->if_snd);
Maybe some more internel kernel information from a packet should be
cleared by the epair driver when he transfers a packet from epair0a ro
epair0b.
--
Dr. Andreas Longwitz
Data Service GmbH
Beethovenstr. 2A
23617 Stockelsdorf
Amtsgericht Lübeck, HRB 318 BS
Geschäftsführer: Wilfried Paepcke, Dr. Andreas Longwitz, Josef Flatau
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
