Re: if_enc(4) and net.inet.ipcomp.ipcomp_enable

Sat, 03 Dec 2022 06:55:09 -0800 

On 2022-02-27 at 18:54 EST, Matteo Riondato <mat...@freebsd.org> wrote:


Hello net@,
I am trying to use pf to filter packets in ipsec tunnels by filtering on enc0 from if_enc(4). 

I have the following values for the net.enc sysctl subtree:
net.enc.out.ipsec_bpf_mask: 1
net.enc.out.ipsec_filter_mask: 1
net.enc.in.ipsec_bpf_mask: 2
net.enc.in.ipsec_filter_mask: 2

and I have

net.inet.ipsec.filtertunnel: 1
Everything works well when the tunnel does not use ipcomp, but when it does, the incoming packets seem to ignore the value of the net.enc.in.ipsec_filter_mask sysctl, thus they show up in pf “twice”: once with both external and internall headers, and once only with internal (the value of 2 for this sysctl should make these packets show up only with internal headers). The same can be observed with tcpdump on enc0. This behavior makes it hard to do filtering.
Sorry to resurrect an old thread, but things are still quite unclear to me.
Specifically, I don't understand why, on the VPN server (using strongswan), I'm seeing ipcomp packets with the "public IPs" headers on enc0 with the sysctl as above.
Shouldn't the sysctls make it so I only see non-public addresses on enc0, at least for the VPN clients? 

Example from tcpdump output:

# tcpdump -e -n -tttt -vv -Q out -i enc0 proto ipcomp
tcpdump: listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 262144 bytes 2022-12-03 09:43:12.837006 (authentic,confidential): SPI 0xcdd5f426: (tos 0x0, ttl 64, id 12913, offset 0, flags [none], proto Compressed IP (108), length 93, bad cksum 0 (->96d5)!) 
    serverPublicIP > clientPublicIP: IPComp(cpi=0x8b57)
2022-12-03 09:43:12.936234 (authentic,confidential): SPI 0xcdd5f426: (tos 0x0, ttl 64, id 30383, offset 0, flags [none], proto Compressed IP (108), length 106, bad cksum 0 (->528a)!) 
    serverPublicIP > clientPublicIP: IPComp(cpi=0x8b57)
2022-12-03 09:43:13.008234 (authentic,confidential): SPI 0xceeb1d8e: (tos 0x0, ttl 53, id 9939, offset 0, flags [none], proto Compressed IP (108), length 430) 
        clientPublicIP > serverPublicIP: IPComp(cpi=0x5802)
2022-12-03 09:43:13.355676 (authentic,confidential): SPI 0xceeb1d8e: (tos 0x0, ttl 53, id 56601, offset 0, flags [none], proto Compressed IP (108), length 432) 
        clientPublicIP > serverPublicIP: IPComp(cpi=0x5802)
2022-12-03 09:43:13.851280 (authentic,confidential): SPI 0xceeb1d8e: (tos 0x0, ttl 53, id 12461, offset 0, flags [none], proto Compressed IP (108), length 431) 
        clientPublicIP > serverPublicIP: IPComp(cpi=0x5802)
2022-12-03 09:43:14.655189 (authentic,confidential): SPI 0xceeb1d8e: (tos 0x0, ttl 53, id 15506, offset 0, flags [none], proto Compressed IP (108), length 429) 
        clientPublicIP > serverPublicIP: IPComp(cpi=0x5802)
2022-12-03 09:43:16.055205 (authentic,confidential): SPI 0xceeb1d8e: (tos 0x0, ttl 53, id 3025, offset 0, flags [none], proto Compressed IP (108), length 431) 
        clientPublicIP > serverPublicIP: IPComp(cpi=0x5802)
2022-12-03 09:43:18.653248 (authentic,confidential): SPI 0xceeb1d8e: (tos 0x0, ttl 53, id 18351, offset 0, flags [none], proto Compressed IP (108), length 430) 
        clientPublicIP > serverPublicIP: IPComp(cpi=0x5802)
2022-12-03 09:43:23.676563 (authentic,confidential): SPI 0xceeb1d8e: (tos 0x0, ttl 53, id 22302, offset 0, flags [none], proto Compressed IP (108), length 427) 
        clientPublicIP > serverPublicIP: IPComp(cpi=0x5802)
2022-12-03 09:43:33.471467 (authentic,confidential): SPI 0xceeb1d8e: (tos 0x0, ttl 53, id 48805, offset 0, flags [none], proto Compressed IP (108), length 429) 
        clientPublicIP > serverPublicIP: IPComp(cpi=0x5802)
2022-12-03 09:43:52.872815 (authentic,confidential): SPI 0xceeb1d8e: (tos 0x0, ttl 53, id 40015, offset 0, flags [none], proto Compressed IP (108), length 429) 
        clientPublicIP > serverPublicIP: IPComp(cpi=0x5802)
2022-12-03 09:44:31.471603 (authentic,confidential): SPI 0xceeb1d8e: (tos 0x0, ttl 53, id 40969, offset 0, flags [none], proto Compressed IP (108), length 429) 
        clientPublicIP > serverPublicIP: IPComp(cpi=0x5802)
2022-12-03 09:44:39.370293 (authentic,confidential): SPI 0xcdd5f426: (tos 0x0, ttl 64, id 7537, offset 0, flags [none], proto Compressed IP (108), length 93, bad cksum 0 (->abd5)!) 
        serverPublicIP > clientPublicIP: IPComp(cpi=0x8b57)
2022-12-03 09:44:39.396698 (authentic,confidential): SPI 0xcdd5f426: (tos 0x0, ttl 64, id 38574, offset 0, flags [none], proto Compressed IP (108), length 106, bad cksum 0 (->328b)!) 
        serverPublicIP > clientPublicIP: IPComp(cpi=0x8b57)
2022-12-03 09:44:39.436956 (authentic,confidential): SPI 0xcdd5f426: (tos 0x0, ttl 64, id 61004, offset 0, flags [none], proto Compressed IP (108), length 94, bad cksum 0 (->daf8)!) 
        serverPublicIP > clientPublicIP: IPComp(cpi=0x8b57)
2022-12-03 09:45:35.468389 (authentic,confidential): SPI 0xceeb1d8e: (tos 0x0, ttl 53, id 35714, offset 0, flags [none], proto Compressed IP (108), length 427)
I'm also quite confused as to why, even with "-Q out", I'm seeing packets going in both directions. Perhaps that's an if_enc quirk? 

Thanks,
Matteo

Attachment: signature.asc
Description: PGP signature

Reply via email to