[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-bugs
Subject:    system/5591: Bug in tag referencing in pf
From:       listener () wernig ! net
Date:       2007-09-24 16:31:20
Message-ID: 200709241631.l8OGVKAH026231 () gate0001 ! int ! swisssign ! net
[Download RAW message or body]

>Number:         5591
>Category:       system
>Synopsis:       tags from ipsec are not evaluated by pf
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Sep 24 16:00:01 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Markus Wernig
>Release:        4.1 -release
>Organization:
net
>Environment:
	
	System      : OpenBSD 4.1
	Architecture: OpenBSD.i386
	Machine     : i386
>Description:
	When setting a tag on packets in ipsec.conf like
	ike esp from A to B tag "mytag"
	and then trying to reference that tag in pf.conf like
	nat on $int_if tagged "mytag" -> ($int_if:1)
	nat on $int_if from !($int_if) -> ($int_if:0)
	
	the packets coming in through the ipsec tunnel are still natted on $int_if to $int_if:0
	i.e. the primary address of $int_if.

	While using the actual IPs in the same rule works:
	nat on $int_if from A to B -> ($int_if:1)
>How-To-Repeat:
	1) Set up an ipsec tunnel from A to B through an OBSD 4.1 gateway
	2) Configure ipsec.conf to tag packets from that tunnel
	3) Reference the tag in pf.conf to manipulate (nat) those packets
	4) The packets from the tunnel are not manipulated according to the rule that references the tag.
>Fix:
	Workaround: Use IP addresses in pf.conf instead of tags. Unfortunately this is not always feasible.


>Release-Note:
>Audit-Trail:
>Unformatted:

[prev in list] [next in list] [prev in thread] [next in thread]