Pass rule not taking action on enc0

Sun, 20 Feb 2022 02:30:53 -0800 

Hello,
I try to pass GRE traffic over IPSec and filter it using pf. With pf disabled the setup works as expected, hence I assume the issue to be with my pf ruleset. To simplify troubleshooting matters I reduced the pf.conf to contain this at the very beginning: 

pass quick log on enc0

Reading enc(4), I additionally tried

pass quick log on enc0 keep state (if-bound)

however traffic will not pass.


The only way I was able to make it "work" (or rather, "work around"), 
was to put


set skip on enc0

which of course is not ideal.

The interfaces are configured like this:

enc0: flags=41<UP,RUNNING>
        index 4 priority 0 llprio 3
        groups: enc
        status: active

gre2: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> mtu 1476
        index 15 priority 0 llprio 6
        encap: vnetid none txprio payload rxprio packet
        groups: gre

	tunnel: inet6 2a02:1748:f7df:9c81::2 --> 2a03:4000:55:d20::1 ttl 64 
nodf ecn

        inet 10.0.14.18 --> 10.0.14.17 netmask 0xfffffff8


With the `pass quick log` rule the a tcpdump on pflog0 looks like this 
(upon trying to ping through the GRE tunnel from both ends):



rule 73/(match) [uid 0, pid 75851] pass out on gre2: 10.0.14.18 > 
10.0.14.17: icmp: echo request (id:030b seq:0) (ttl 255, id 54903, len 
84, bad ip cksum 0! -> b50e)
rule 0/(match) [uid 0, pid 75851] pass out on enc0: 
2a02:1748:f7df:9c81::2 > 2a03:4000:55:d20::1: gre [] 0800 [|ip] 
[flowlabel 0xb987] (len 88, hlim 64)
rule 0/(ip-option) [uid 0, pid 75851] pass in on enc0: 
2a03:4000:55:d20::1 > 2a02:1748:f7df:9c81::2: DSTOPT (type 0x04: len=1) 
gre [] 0800 [|ip] [flowlabel 0x1f096] (len 96, hlim 64)
rule 0/(ip-option) [uid 0, pid 75851] pass in on enc0: 
2a03:4000:55:d20::1 > 2a02:1748:f7df:9c81::2: DSTOPT (type 0x04: len=1) 
gre [] 0800 [|ip] [flowlabel 0x1f096] (len 96, hlim 64)


With the `set skip` rule a tcpdump on gre2 looks like this:


10.0.14.18 > 10.0.14.17: icmp: echo request (id:ba85 seq:0) [icmp cksum 
ok] (ttl 255, id 17321, len 84)
10.0.14.17 > 10.0.14.18: icmp: echo reply (id:ba85 seq:0) [icmp cksum 
ok] (ttl 64, id 55109, len 84)
10.0.14.17 > 10.0.14.18: icmp: echo request (id:005d seq:1) [icmp cksum 
ok] (DF) (ttl 64, id 55460, len 84)
10.0.14.18 > 10.0.14.17: icmp: echo reply (id:005d seq:1) [icmp cksum 
ok] (DF) (ttl 255, id 64477, len 84)



Am I wrong in assuming that this should be getting covered by a generic 
`pass` rule?


Would appreciate any help!

Thanks a lot for reading.

Best,
Georg














    











					Reply via email to