Feature #11395
closedOption to switch IPsec filtering modes to choose between ``enc`` and ``if_ipsec`` filtering
100%
Description
Due to the limitations mentioned in #8686 FreeBSD can filter IPsec in one of two ways:
- Filter on enc0 for all IPsec -- Filters tunnel mode and VTI traffic, but cannot filter on VTI interfaces.
- Filter on if_ipsec interfaces -- Filters VTI interfaces only, but tunnel mode traffic is dropped
Until #8686 can be solved properly in the base OS, we should give users the option to choose between these two behaviors. If a user has only VTI tunnels, they can take advantage of the benefits that come with filtering on if_ipsec VTI interfaces, like functional NAT and reply-to.
For the default enc filtering mode, use the following sysctl values:
"net.inet.ipsec.filtertunnel" => "0x0000", "net.inet6.ipsec6.filtertunnel" => "0x0000", "net.enc.out.ipsec_bpf_mask" => "0x0001", "net.enc.out.ipsec_filter_mask" => "0x0001", "net.enc.in.ipsec_bpf_mask" => "0x0002", "net.enc.in.ipsec_filter_mask" => "0x0002"
And for if_ipsec filtering:
"net.inet.ipsec.filtertunnel" => "0x0001", "net.inet6.ipsec6.filtertunnel" => "0x0001", "net.enc.out.ipsec_bpf_mask" => "0x0000", "net.enc.out.ipsec_filter_mask" => "0x0000", "net.enc.in.ipsec_bpf_mask" => "0x0000", "net.enc.in.ipsec_filter_mask" => "0x0000"
For firewall rules:
- In enc filtering mode, the IPsec tab should be visible and assigned if_ipsec interface tabs hidden.
- In if_ipsec filtering mode, the IPsec tab should be hidden and assigned if_ipsec interface tabs visible.
Will need some appropriate warnings on the option to make users aware that setting it to if_ipsec mode will block/drop all tunnel mode traffic.
To me, I have code ready which implements this change.
Related issues
Updated by Jim Pingle almost 4 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset cb0a23f29237d86fbc40259882bba2b5b9d419f5.
Updated by Jim Pingle almost 4 years ago
- Target version changed from CE-Next to 2.6.0
Updated by Jim Pingle over 3 years ago
- Subject changed from Option to switch IPsec filtering modes to choose between enc and if_ipsec filtering to Option to switch IPsec filtering modes to choose between ``enc`` and ``if_ipsec`` filtering
Updating subject for release notes.
Updated by Jim Pingle over 3 years ago
- Target version changed from 2.6.0 to 2.5.2
Updated by Jim Pingle 8 months ago
- Related to Regression #15430: Interface-bound state policy does not handle IPsec VTI traffic as expected when filtering on ``enc0`` interface added