Re: if_enc(4) and net.inet.ipcomp.ipcomp_enable

Reply: Matteo Riondato : "Re: if_enc(4) and net.inet.ipcomp.ipcomp_enable"
Reply: Matteo Riondato : "Re: if_enc(4) and net.inet.ipcomp.ipcomp_enable"
In reply to: Matteo Riondato : "if_enc(4) and net.inet.ipcomp.ipcomp_enable"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Andrey V. Elsukov <bu7cher_at_yandex.ru>
Date: Tue, 01 Mar 2022 10:52:08 UTC

28.02.2022 02:54, Matteo Riondato пишет:
> Hello net@,
> 
> I am trying to use pf to filter packets in ipsec tunnels by filtering
> on enc0 from if_enc(4).
> 
> I have the following values for the net.enc sysctl subtree: 
> net.enc.out.ipsec_bpf_mask: 1 net.enc.out.ipsec_filter_mask: 1 
> net.enc.in.ipsec_bpf_mask: 2 net.enc.in.ipsec_filter_mask: 2
> 
> and I have
> 
> net.inet.ipsec.filtertunnel: 1
> 
> Everything works well when the tunnel does not use ipcomp, but when
> it does, the incoming packets seem to ignore the value of the 
> net.enc.in.ipsec_filter_mask sysctl, thus they show up in pf “twice”:
> once with both external and internall headers, and once only with
> internal (the value of 2 for this sysctl should make these packets
> show up only with internal headers). The same can be observed with
> tcpdump on enc0. This behavior makes it hard to do filtering.
> 
> Is this behavior expected?

Hi,

are you sure that it is not just on ingress and egress? You can use -Q 
flag for tcpdump to make sure.

The first time when you see IPcomp packet in PF, it is when it arrives 
into IP stack on a physical interface (em, igb, ix, etc.). The second 
time is after decompression on if_enc interface, it is called from IPsec 
stack.

-- 
WBR, Andrey V. Elsukov