Date: Mon, 10 Feb 2003 11:37:45 -0700 From: Mike Durian <durian@boogie.com> To: Andriy Gapon <agapon@cv-nj.com>, freebsd-net@FreeBSD.ORG Cc: Guido van Rooij <guido@FreeBSD.ORG> Subject: Re: ipsec & ipfw: 4.7-release vs -stable Message-ID: <200302101137.45763.durian@boogie.com> In-Reply-To: <20030210114109.G53494@edge.foundation.invalid> References: <20030210114109.G53494@edge.foundation.invalid>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 10 February 2003 09:42 am, Andriy Gapon wrote: > > The reason I am asking this question with such a big crosspost is that it > seems that all previous discussions on this topic resulted in nothing. And > this change definetely breaks things for those who use ipsec without extra > stuff like gif tunnels. It definetely doesn't look like a kind of change > welcomed in -stable branch, not mentioning a potential security > vulnaribity for those who can not use gif. I'd like to confirm this. I just backed out change ip_input.c 1.214 on my -current box and the double processing problem went away. With change 1.214 in place, ESP packets are process twice, once as ESP packets and once in their decrypted form. So, despite the comment in the commit message: Get rid of checking for ip sec history. It is true that packets are not supposed to be checked by the firewall rules twice. However, because the various ipsec handlers never call ip_input(), this never happens anyway. It looks like ipsec must be calling ip_input() somewhere. I too would like to see ipfilter behave as documented (in -current too) and not re-process decrypted ESP packets. Perhaps change 1.214 can be reworked or reverted? I'll file a PR. mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200302101137.45763.durian>