[Bug 248474] if_ipsec: NAT broken on IPsec/VTI
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Sep 29 19:01:49 UTC 2020
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248474
jimp at netgate.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jimp at netgate.com
--- Comment #25 from jimp at netgate.com ---
The suggested corrections in this issue only solve the problem for a small
number of cases. Sacrificing filtering on enc in favor of if_ipsec isn't viable
if someone needs both policy-based and route-based IPsec tunnels to different
peers at the same time. The number of instances with a mix of both is much
larger than instances which are purely using if_ipsec.
At least with filtering on enc the firewall can filter traffic for both, just
no NAT or per-interface rules. If you disable filtering on enc, if_ipsec rules
would work but traffic would flow freely and unfiltered on enc for policy-based
tunnels, which is a security risk.
The ideal solution would allow both to coexist peacefully rather than being
forced to choose. For example, policy-based traffic would filter on enc, while
route-based traffic would not be processed by pfil on enc, but would filter on
each individual if_ipsec interface instead.
Should this issue be reopened, or should there be a new issue framing this as a
feature request instead of a bug?
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-net
mailing list