if_enc(4) and net.inet.ipcomp.ipcomp_enable

Reply: Andrey V. Elsukov: "Re: if_enc(4) and net.inet.ipcomp.ipcomp_enable"
Reply: Matteo Riondato : "Re: if_enc(4) and net.inet.ipcomp.ipcomp_enable"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Matteo Riondato <matteo_at_FreeBSD.org>
Date: Sun, 27 Feb 2022 23:54:11 UTC

Hello net@,

I am trying to use pf to filter packets in ipsec tunnels by filtering on enc0 from if_enc(4).

I have the following values for the net.enc sysctl subtree:
net.enc.out.ipsec_bpf_mask: 1
net.enc.out.ipsec_filter_mask: 1
net.enc.in.ipsec_bpf_mask: 2
net.enc.in.ipsec_filter_mask: 2

and I have

net.inet.ipsec.filtertunnel: 1

Everything works well when the tunnel does not use ipcomp, but when it does, the incoming packets seem to ignore the value of the 
net.enc.in.ipsec_filter_mask sysctl, thus they show up in pf “twice”: once with both external and internall headers, and once only with internal (the value of 2 for this sysctl should make these packets show up only with internal headers). The same can be observed with tcpdump on enc0. This behavior makes it hard to do filtering.

Is this behavior expected? 

Thanks,
Matteo