pfSense

Due to the limitations mentioned in #8686 FreeBSD can filter IPsec in one of two ways:

• Filter on enc0 for all IPsec -- Filters tunnel mode and VTI traffic, but cannot filter on VTI interfaces.
• Filter on if_ipsec interfaces -- Filters VTI interfaces only, but tunnel mode traffic is dropped

Until #8686 can be solved properly in the base OS, we should give users the option to choose between these two behaviors. If a user has only VTI tunnels, they can take advantage of the benefits that come with filtering on if_ipsec VTI interfaces, like functional NAT and reply-to.

For the default enc filtering mode, use the following sysctl values:

    "net.inet.ipsec.filtertunnel"   => "0x0000",
    "net.inet6.ipsec6.filtertunnel" => "0x0000",
    "net.enc.out.ipsec_bpf_mask"    => "0x0001",
    "net.enc.out.ipsec_filter_mask" => "0x0001",
    "net.enc.in.ipsec_bpf_mask"     => "0x0002",
    "net.enc.in.ipsec_filter_mask"  => "0x0002" 

And for if_ipsec filtering:

    "net.inet.ipsec.filtertunnel"   => "0x0001",
    "net.inet6.ipsec6.filtertunnel" => "0x0001",
    "net.enc.out.ipsec_bpf_mask"    => "0x0000",
    "net.enc.out.ipsec_filter_mask" => "0x0000",
    "net.enc.in.ipsec_bpf_mask"     => "0x0000",
    "net.enc.in.ipsec_filter_mask"  => "0x0000" 

For firewall rules:

• In enc filtering mode, the IPsec tab should be visible and assigned if_ipsec interface tabs hidden.
• In if_ipsec filtering mode, the IPsec tab should be hidden and assigned if_ipsec interface tabs visible.

Will need some appropriate warnings on the option to make users aware that setting it to if_ipsec mode will block/drop all tunnel mode traffic.

To me, I have code ready which implements this change.