PF Packets from gre interface bypassing PF?

[Vorona]

[Mod: Split off from a 6 year old thread; https://forums.freebsd.org/threads/packets-from-gre-interface-bypassing-pf.55181]

Hello!
I have same problem. I whant to create rdr rule fo transparent proxy on gre interface. It doesn't works. in tcpdump on gre interface I see correct traffic.
Also, block rule in begin isn't works too. But all rules, belongs gre interface are ignored and just passed. In firewall statistics I see only outgoing traffic on gre interface.
I tried to set interface enc0 in rdr rul - this has no result.
Please, help!

 

[Vorona]

This bug I can see if I set up gre tunnel over IPSec (site-to-site, tunnel mode). When I try to set up test pure GRE allrules works.
How fix it?

 

[Vorona]

Hello!
I found one thing. If GRE terminated on IPSec tunnel ends traffic doesn't go to filter engine. But there is kernel options net.inet.ipsec.filtertunnel
Default is 0. That means, that pf not filters inbound traffic from tunnel interfaces, assigned with IPSec.
If I set this option to 1, all rules works. But I have one more IPSec tunnel without GRE. This tunnel with this option drops outbond packets.

In internet I foud more kernel options, which can affect to this traffic:
net.enc.out.ipsec_bpf_mask
net.enc.out.ipsec_filter_mask
net.enc.in.ipsec_bpf_mask
net.enc.in.ipsec_filter_mask

What I need to set up for correct traffic flow: pure IPSec filtering in enc0, but gre over IPSec filtering in greN?