[Bug 248474] NAT broken on IPsec/VTI [if_ipsec]
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Aug 5 14:44:15 UTC 2020
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248474
--- Comment #13 from Eugene Grosbein <eugen at freebsd.org> ---
(In reply to Andrey V. Elsukov from comment #11)
IPSec code adds PACKET_TAG_IPSEC_IN_DONE tag to decrypted mbuf then calls pfil
hooks. Bad things could happen if mbuf looses PACKET_TAG_IPSEC_IN_DONE due to
pfil hook processing: ipsec_in_reject() returns error code 1 (invalid) and
packet is dropped increasing ips_in_polvio counter.
Switching to IPSEC_LEVEL_USE is bad hack but it helps.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-net
mailing list