pf not seeing inbound packets on netgraph interface
Andreas Longwitz
longwitz at incore.de
Tue Jan 24 11:15:01 UTC 2012
Hi Ed,
> I am running into a roadblock getting PF to filter traffic on
> a Netgraph interface representing an L2TP/IPSec connection.
> The problem I have is that PF only sees traffic on the outbound
> side of the netgraph interface.
This happens because the L2TP packets are tagged with an IPSEC-flag for
later use by ipfw, and this flag is passed to the packets coming from
ng0. Thats done by the netgraph under control of mpd, or better: mpd
does nothing to clear this flag.
With net.inet.ipsec.filtertunnel=1 you can ignore this IPSEC-flag but
only global for all interfaces in the system. Thats probably not what
you want, especially not for the real hardware interface the
IPSEC-tunnel is going through.
I think L2TP under control of mpd should work independent of the
existence of an IPSEC-tunnel and therefore clear this flag:
--- ng_l2tp.c.orig 2010-04-15 14:40:02.000000000 +0200
+++ ng_l2tp.c 2012-01-23 17:09:41.000000000 +0100
@@ -752,6 +752,7 @@
hookpriv_p hpriv = NULL;
hook_p hook = NULL;
struct mbuf *m;
+ struct m_tag *mtag;
u_int16_t tid, sid;
u_int16_t hdr;
u_int16_t ns, nr;
@@ -996,6 +997,11 @@
ERROUT(0);
}
+ /* Delete an existing ipsec tag */
+ mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
+ if (mtag != NULL)
+ m_tag_delete(m, mtag);
+
/* Deliver data */
NG_FWD_NEW_DATA(error, item, hook, m);
This patch for the l2tp netgraph node does the job and you can use pf on
the ng0 interface without any restrections.
Regards,
--
Dr. Andreas Longwitz
Data Service GmbH
Beethovenstr. 2A
23617 Stockelsdorf
Amtsgericht Lübeck, HRB 318 BS
Geschäftsführer: Wilfried Paepcke, Dr. Andreas Longwitz, Josef Flatau
More information about the freebsd-net
mailing list