From owner-freebsd-ipfw@FreeBSD.ORG  Mon Nov  3 22:52:33 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4149316A4CE; Mon,  3 Nov 2003 22:52:33 -0800 (PST)
Received: from cocoa.syncrontech.com (cocoa-e0.syncrontech.com [62.71.8.66])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id BC29043F85; Mon,  3 Nov 2003 22:52:29 -0800 (PST)
	(envelope-from ari.suutari@syncrontech.com)
Received: from guinness.syncrontech.com (guinness.syncrontech.com
	[62.71.8.19])hA46qQEQ017449;	Tue, 4 Nov 2003 08:52:27 +0200 (EET)
	(envelope-from ari.suutari@syncrontech.com)
Received: from coffee.syncrontech.com (coffee.syncrontech.com [62.71.8.37])
	hA46qMC5036170;	Tue, 4 Nov 2003 08:52:22 +0200 (EET)
	(envelope-from ari.suutari@syncrontech.com)
From: Ari Suutari <ari.suutari@syncrontech.com>
Organization: Syncron Tech Oy
To: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>,
	FreeBSD-gnats-submit@freebsd.org
Date: Tue, 4 Nov 2003 08:52:25 +0200
User-Agent: KMail/1.5.4
References: <20031103220824.DBCF7153F6@mail.int.zabbadoz.net>
In-Reply-To: <20031103220824.DBCF7153F6@mail.int.zabbadoz.net>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200311040852.25359.ari.suutari@syncrontech.com>
X-Scanned-By: MIMEDefang 2.30 (www . roaringpenguin . com / mimedefang)
X-Scanned-By: MIMEDefang 2.24 (www . roaringpenguin . com / mimedefang)
cc: ipfw@freebsd.org
cc: bzeeb+freebsd@zabbadoz.net
cc: security@freebsd.org
Subject: Re: [fix] ipfw2 ipsec history option not working
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Nov 2003 06:52:33 -0000

Wow ! 

The initial patch I submitted must have been
incomplete somehow, because I really tested this thing
on -current. 

The reason might be that the first patch didn't include 
#ifdef IPSEC at all. Then someone (maybe me on another machine...)
who tested it complained
about kernel not compiling without IPSEC - and I added
the #ifdef IPSEC without testing it 'since it was such a small
change'.

Please someone, commit the suggested patch. Also, 
if these changes have gone to 4.9, it might be good to
include this fix for RELENG_4_9 since it is security related.

	Ari S.

On Tuesday 04 November 2003 00:08, Bjoern A. Zeeb wrote:
> >Submitter-Id:	current-users
> >Originator:	Bjoern A. Zeeb
> >Organization:	Zabbadoz.NeT
> >Confidential:	no
> >Synopsis:	[fix] ipfw2 ipsec history option not working
> >Severity:	critical
> >Priority:	high
> >Category:	kern
> >Class:		sw-bug
> >Release:	5.1-CURRENT i386
> >Environment:
>
> FreeBSD noc.int.zabbadoz.net 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Sat Sep 20
> 22:19:04 UTC 2003    
> bz@noc.int.zabbadoz.net:/export/src/src/obj/export/src/src/HEAD/compile-200
>30920-2028/sys/ZAB2-2003092001  i386
>
> >Description:
>
> 	The patch applied at 4 Jul 2003 [1]
> 	from http://www.freebsd.org/cgi/query-pr.cgi?pr=53624
> 	will not work in current and might never have worked
> 	the way it should and is documented.
>
> 	The problem is that #ifdef IPSEC in sys/netinet/ip_fw2.c
> 	will never match because opt_ipsec.h is never included.
>
> 	Further more because only the check in the verify
> 	path (ipfw_chk) is #ifdef'ed and not the path where
> 	the rules get checked before insertion (check_ipfw_struct)
> 	   __there will be no complaints when
> 	     adding a rule with ipsec option__ !
>
> 	[1]
> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_fw2.c.diff?r1=1.33
>&r2=1.34
>
> >How-To-Repeat:
>
> 	add a rule that should match all traffic with
> 	ipsec history with log option at appropriate place
> 	in your ruleset; s.th. like:
>
> 	ipfw add ... log ip from any to any ipsec
>
> 	there will be no match logged;
>
>
> 	alternatively you may simply grep for ipsec_gethist
> 	in ip_fw2.o; this also will not find a match though it
> 	should be in there.
>
> >Fix:
>
> 	this patch has been verified to make O_IPSEC work
> 	for me with IPSEC; it has not been verified to work
> 	with FAST_IPSEC.
>
> 	additionaly one may also add s.th. like
> 	#if defined(IPSEC) || defined(FAST_IPSEC)
> 	for O_IPSEC in check_ipfw_struct().
>
>
> --- sys/netinet/ip_fw2.c.orig	Mon Nov  3 18:24:57 2003
> +++ sys/netinet/ip_fw2.c	Mon Nov  3 20:47:58 2003
> @@ -37,6 +37,7 @@
>  #include "opt_ipdn.h"
>  #include "opt_ipdivert.h"
>  #include "opt_inet.h"
> +#include "opt_ipsec.h"
>  #ifndef INET
>  #error IPFIREWALL requires INET.
>  #endif /* INET */