PF blocks traffic from encapsulated IPv4 where tun0 (IPv6) gif0 (IPv4 in IPv6 tunnel)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

PF blocks traffic from encapsulated IPv4 where tun0 (IPv6) gif0 (IPv4 in IPv6 tunnel)

Martin Got
Hello list,

IPv4 encapsulated traffic always hit rule:

block log (all, to pflog0)

If I set in pf.conf on both tunnel sides:

set skip on {tun0, gif0}

I can ping both IPv4 tunnel ends, but rdr-to rules don't work for IPv4 encapsulated packets this way.

I've tried to allow encap protocol right after 'block log (all, to pflog0)' rule like below:

pass in log inet proto {ipencap, encap, etherip} from any to any keep state (if-bound)
pass out log inet proto {ipencap, encap, etherip} from any to any keep state (if-bound)

No effect, IPv4 encapsulated traffic blocked by 'block log (all, to pflog0)' rule all the times according to tcpdump as below:

07:15:54.366210 rule 48/(match) block in on tun0: 10.190.0.1 > 10.190.0.2: [|icmp] (encap)
07:15:55.366422 rule 48/(match) block in on tun0: 10.190.0.1 > 10.190.0.2: [|icmp] (encap)

The question is how to allow IPv4 encapsulated traffic for tun0 with gif0 IPv4-in-IPv6?

Configs for both sides of tunnel:

=== Side-a ===

# cat /etc/hostname.gif0
# gif0
up
description 'IPv4 over IPv6 tunnel'
# tunnel [src IPv6] [dst IPv6]
tunnel dddd:cccc:bbbb:aaaa::18b5 aaaa:bbbb:cccc:dddd::a503
inet alias 10.190.0.1
dest 10.190.0.2

# ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        index 44 priority 0 llprio 3
        groups: tun
        status: active
        inet6 fe80::5054:ffc:fe04:f824%tun0 ->  prefixlen 64 scopeid 0x2c
        inet6 dddd:cccc:bbbb:aaaa::18b5 ->  prefixlen 48

=== Side-b ===

# cat /etc/hostname.gif0
# gif0
up
description 'IPv4 over IPv6 tunnel'
# tunnel [src IPv6] [dst IPv6]
tunnel aaaa:bbbb:cccc:dddd::a503 dddd:cccc:bbbb:aaaa::18b5
inet alias 10.190.0.2
dest 10.190.0.1

# ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        index 44 priority 0 llprio 3
        groups: tun
        status: active
        inet6 fe80::2a15:f3af:fefb:a3b0%tun0 ->  prefixlen 64 scopeid 0x2c
        inet6 aaaa:bbbb:cccc:dddd::a503 ->  prefixlen 48

Reply | Threaded
Open this post in threaded view
|

Re: PF blocks traffic from encapsulated IPv4 where tun0 (IPv6) gif0 (IPv4 in IPv6 tunnel)

Martin Got
Some updates

ipv6-icmp for both ends with IPv6 addresses works well even without 'set skip':

pass in on tun0 inet6 proto ipv6-icmp all icmp6-type {toobig, echoreq} keep state

So it confirmed filtering for IPv6 is working for tun0, but do not work for IPv4 encapsulated for some reason.

Please advice.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, April 8, 2021 7:24 AM, Martin <[hidden email]> wrote:

> Hello list,
>
> IPv4 encapsulated traffic always hit rule:
>
> block log (all, to pflog0)
>
> If I set in pf.conf on both tunnel sides:
>
> set skip on {tun0, gif0}
>
> I can ping both IPv4 tunnel ends, but rdr-to rules don't work for IPv4 encapsulated packets this way.
>
> I've tried to allow encap protocol right after 'block log (all, to pflog0)' rule like below:
>
> pass in log inet proto {ipencap, encap, etherip} from any to any keep state (if-bound)
> pass out log inet proto {ipencap, encap, etherip} from any to any keep state (if-bound)
>
> No effect, IPv4 encapsulated traffic blocked by 'block log (all, to pflog0)' rule all the times according to tcpdump as below:
>
> 07:15:54.366210 rule 48/(match) block in on tun0: 10.190.0.1 > 10.190.0.2: [|icmp] (encap)
> 07:15:55.366422 rule 48/(match) block in on tun0: 10.190.0.1 > 10.190.0.2: [|icmp] (encap)
>
> The question is how to allow IPv4 encapsulated traffic for tun0 with gif0 IPv4-in-IPv6?
>
> Configs for both sides of tunnel:
>
> === Side-a ===
>
> cat /etc/hostname.gif0
>
> =======================
>
> gif0
>
> =====
>
> up
> description 'IPv4 over IPv6 tunnel'
>
> tunnel [src IPv6] [dst IPv6]
>
> =============================
>
> tunnel dddd:cccc:bbbb:aaaa::18b5 aaaa:bbbb:cccc:dddd::a503
> inet alias 10.190.0.1
> dest 10.190.0.2
>
> ifconfig tun0
>
> ==============
>
> tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
>
>         index 44 priority 0 llprio 3
>         groups: tun
>         status: active
>         inet6 fe80::5054:ffc:fe04:f824%tun0 ->  prefixlen 64 scopeid 0x2c
>
>         inet6 dddd:cccc:bbbb:aaaa::18b5 ->  prefixlen 48
>
>
> === Side-b ===
>
> cat /etc/hostname.gif0
>
> =======================
>
> gif0
>
> =====
>
> up
> description 'IPv4 over IPv6 tunnel'
>
> tunnel [src IPv6] [dst IPv6]
>
> =============================
>
> tunnel aaaa:bbbb:cccc:dddd::a503 dddd:cccc:bbbb:aaaa::18b5
> inet alias 10.190.0.2
> dest 10.190.0.1
>
> ifconfig tun0
>
> ==============
>
> tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
>
>         index 44 priority 0 llprio 3
>         groups: tun
>         status: active
>         inet6 fe80::2a15:f3af:fefb:a3b0%tun0 ->  prefixlen 64 scopeid 0x2c
>
>         inet6 aaaa:bbbb:cccc:dddd::a503 ->  prefixlen 48
>


Reply | Threaded
Open this post in threaded view
|

Re: PF blocks traffic from encapsulated IPv4 where tun0 (IPv6) gif0 (IPv4 in IPv6 tunnel)

Martin Got
In addition to pass encapsulated traffic by the rules below:

pass in log inet proto {ipencap, encap, etherip} from any to any keep state (if-bound)
pass out log inet proto {ipencap, encap, etherip} from any to any keep state (if-bound)

I set incoming rule for ICMP traffic pass from tun0 and gif0 interfaces. This rule works fine if IPv4 is not encapsulated (work for all IPv4 traffic appearing on any interface affected), but with IPv4 encap it doesn't work for some reason. And ICMP packets from IPv4 encapsulated always hit block all rule.

pass in on {tun0, gif0} inet proto icmp all icmp-type {echoreq, timex, paramprob, unreach code needfrag} keep state

Any ideas can help.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, April 8, 2021 9:11 AM, Martin <[hidden email]> wrote:

> Some updates
>
> ipv6-icmp for both ends with IPv6 addresses works well even without 'set skip':
>
> pass in on tun0 inet6 proto ipv6-icmp all icmp6-type {toobig, echoreq} keep state
>
> So it confirmed filtering for IPv6 is working for tun0, but do not work for IPv4 encapsulated for some reason.
>
> Please advice.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Thursday, April 8, 2021 7:24 AM, Martin [hidden email] wrote:
>
> > Hello list,
> > IPv4 encapsulated traffic always hit rule:
> > block log (all, to pflog0)
> > If I set in pf.conf on both tunnel sides:
> > set skip on {tun0, gif0}
> > I can ping both IPv4 tunnel ends, but rdr-to rules don't work for IPv4 encapsulated packets this way.
> > I've tried to allow encap protocol right after 'block log (all, to pflog0)' rule like below:
> > pass in log inet proto {ipencap, encap, etherip} from any to any keep state (if-bound)
> > pass out log inet proto {ipencap, encap, etherip} from any to any keep state (if-bound)
> > No effect, IPv4 encapsulated traffic blocked by 'block log (all, to pflog0)' rule all the times according to tcpdump as below:
> > 07:15:54.366210 rule 48/(match) block in on tun0: 10.190.0.1 > 10.190.0.2: [|icmp] (encap)
> > 07:15:55.366422 rule 48/(match) block in on tun0: 10.190.0.1 > 10.190.0.2: [|icmp] (encap)
> > The question is how to allow IPv4 encapsulated traffic for tun0 with gif0 IPv4-in-IPv6?
> > Configs for both sides of tunnel:
> > === Side-a ===
> > cat /etc/hostname.gif0
> > =======================
> > gif0
> > =====
> > up
> > description 'IPv4 over IPv6 tunnel'
> > tunnel [src IPv6] [dst IPv6]
> > =============================
> > tunnel dddd:cccc:bbbb:aaaa::18b5 aaaa:bbbb:cccc:dddd::a503
> > inet alias 10.190.0.1
> > dest 10.190.0.2
> > ifconfig tun0
> > ==============
> > tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
> >
> >         index 44 priority 0 llprio 3
> >         groups: tun
> >         status: active
> >         inet6 fe80::5054:ffc:fe04:f824%tun0 ->  prefixlen 64 scopeid 0x2c
> >
> >         inet6 dddd:cccc:bbbb:aaaa::18b5 ->  prefixlen 48
> >
> >
> > === Side-b ===
> > cat /etc/hostname.gif0
> > =======================
> > gif0
> > =====
> > up
> > description 'IPv4 over IPv6 tunnel'
> > tunnel [src IPv6] [dst IPv6]
> > =============================
> > tunnel aaaa:bbbb:cccc:dddd::a503 dddd:cccc:bbbb:aaaa::18b5
> > inet alias 10.190.0.2
> > dest 10.190.0.1
> > ifconfig tun0
> > ==============
> > tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
> >
> >         index 44 priority 0 llprio 3
> >         groups: tun
> >         status: active
> >         inet6 fe80::2a15:f3af:fefb:a3b0%tun0 ->  prefixlen 64 scopeid 0x2c
> >
> >         inet6 aaaa:bbbb:cccc:dddd::a503 ->  prefixlen 48
> >