When IPSEC is configured according to the Handbook[1], pf fails
to track connection state properly, because it does not see packets coming from the tunneled interface to gif(4). Rebuilding with IPSEC_FILTERGIF fixes the problem. According to mlaier@ we cannot change GENERIC for this, but it's ok to document the requirement for IPSEC_FILTERGIF. Add a note to this effect. [1] http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html PR: kern/97057 Submitted by: Dmitry Andrianov <freebsd@dima.spb.ru> Suggested by: mlaier Reviewed by: remko
This commit is contained in:
Giorgos Keramidas
parent
5d0d47d906
commit
4d2455bbfb
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=28169
1 changed files with 10 additions and 0 deletions
|
|
@ -3116,7 +3116,17 @@ options FAST_IPSEC # new IPsec (cannot define w/ IPSEC)
|
|||
<quote>Fast IPsec</quote> subsystem in lieu of the KAME
|
||||
implementation of IPsec. Consult the &man.fast.ipsec.4;
|
||||
manual page for more information.</para>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
<para>To let firewalls properly track state for &man.gif.4;
|
||||
tunnels too, you have to enable the
|
||||
<option>IPSEC_FILTERGIF</option> in your kernel
|
||||
configuration:</para>
|
||||
|
||||
<screen>
|
||||
options IPSEC_FILTERGIF #filter ipsec packets from a tunnel
|
||||
</screen>
|
||||
</note>
|
||||
|
||||
<indexterm>
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue