Project

General

Profile

Actions

Feature #11395

closed

Option to switch IPsec filtering modes to choose between ``enc`` and ``if_ipsec`` filtering

Added by Jim Pingle almost 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
02/10/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
21.05
Release Notes:
Default

Description

Due to the limitations mentioned in #8686 FreeBSD can filter IPsec in one of two ways:

  • Filter on enc0 for all IPsec -- Filters tunnel mode and VTI traffic, but cannot filter on VTI interfaces.
  • Filter on if_ipsec interfaces -- Filters VTI interfaces only, but tunnel mode traffic is dropped

Until #8686 can be solved properly in the base OS, we should give users the option to choose between these two behaviors. If a user has only VTI tunnels, they can take advantage of the benefits that come with filtering on if_ipsec VTI interfaces, like functional NAT and reply-to.

For the default enc filtering mode, use the following sysctl values:

    "net.inet.ipsec.filtertunnel"   => "0x0000",
    "net.inet6.ipsec6.filtertunnel" => "0x0000",
    "net.enc.out.ipsec_bpf_mask"    => "0x0001",
    "net.enc.out.ipsec_filter_mask" => "0x0001",
    "net.enc.in.ipsec_bpf_mask"     => "0x0002",
    "net.enc.in.ipsec_filter_mask"  => "0x0002" 

And for if_ipsec filtering:

    "net.inet.ipsec.filtertunnel"   => "0x0001",
    "net.inet6.ipsec6.filtertunnel" => "0x0001",
    "net.enc.out.ipsec_bpf_mask"    => "0x0000",
    "net.enc.out.ipsec_filter_mask" => "0x0000",
    "net.enc.in.ipsec_bpf_mask"     => "0x0000",
    "net.enc.in.ipsec_filter_mask"  => "0x0000" 

For firewall rules:

  • In enc filtering mode, the IPsec tab should be visible and assigned if_ipsec interface tabs hidden.
  • In if_ipsec filtering mode, the IPsec tab should be hidden and assigned if_ipsec interface tabs visible.

Will need some appropriate warnings on the option to make users aware that setting it to if_ipsec mode will block/drop all tunnel mode traffic.

To me, I have code ready which implements this change.


Related issues

Related to Regression #15430: Interface-bound state policy does not handle IPsec VTI traffic as expected when filtering on ``enc0`` interfaceResolvedMarcos M

Actions
Actions #1

Updated by Jim Pingle almost 4 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by Jeremy Mordkoff almost 4 years ago

tested and working for me.

Actions #3

Updated by Jim Pingle almost 4 years ago

  • Target version changed from CE-Next to 2.6.0
Actions #4

Updated by Jim Pingle over 3 years ago

  • Plus Target Version set to 21.05
Actions #5

Updated by Jim Pingle over 3 years ago

Already in 21.05 branch.

Actions #6

Updated by Jim Pingle over 3 years ago

  • Subject changed from Option to switch IPsec filtering modes to choose between enc and if_ipsec filtering to Option to switch IPsec filtering modes to choose between ``enc`` and ``if_ipsec`` filtering

Updating subject for release notes.

Actions #7

Updated by Jim Pingle over 3 years ago

  • Target version changed from 2.6.0 to 2.5.2
Actions #8

Updated by Jim Pingle over 3 years ago

  • Status changed from Feedback to Closed
Actions #9

Updated by Jim Pingle 8 months ago

  • Related to Regression #15430: Interface-bound state policy does not handle IPsec VTI traffic as expected when filtering on ``enc0`` interface added
Actions

Also available in: Atom PDF