From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 3 14:10:12 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6134D16A4CE; Mon, 3 Nov 2003 14:10:12 -0800 (PST) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2FD7443FDF; Mon, 3 Nov 2003 14:10:10 -0800 (PST) (envelope-from bz@zabbadoz.net) Received: from localhost (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 1CDA71FF907; Mon, 3 Nov 2003 23:10:08 +0100 (CET) Received: by transport.cksoft.de (Postfix, from userid 66) id 8B9C41FF905; Mon, 3 Nov 2003 23:10:06 +0100 (CET) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id DBCF7153F6; Mon, 3 Nov 2003 22:08:24 +0000 (UTC) To: FreeBSD-gnats-submit@freebsd.org From: "Bjoern A. Zeeb" X-send-pr-version: 3.113 X-GNATS-Notify: Message-Id: <20031103220824.DBCF7153F6@mail.int.zabbadoz.net> Date: Mon, 3 Nov 2003 22:08:24 +0000 (UTC) X-Virus-Scanned: by AMaViS snapshot-20020300 cc: security@freebsd.org cc: ipfw@FreeBSD.org cc: bzeeb+freebsd@zabbadoz.net cc: ari.suutari@syncrontech.com Subject: [fix] ipfw2 ipsec history option not working X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Bjoern A. Zeeb" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2003 22:10:12 -0000 >Submitter-Id: current-users >Originator: Bjoern A. Zeeb >Organization: Zabbadoz.NeT >Confidential: no >Synopsis: [fix] ipfw2 ipsec history option not working >Severity: critical >Priority: high >Category: kern >Class: sw-bug >Release: 5.1-CURRENT i386 >Environment: FreeBSD noc.int.zabbadoz.net 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Sat Sep 20 22:19:04 UTC 2003 bz@noc.int.zabbadoz.net:/export/src/src/obj/export/src/src/HEAD/compile-20030920-2028/sys/ZAB2-2003092001 i386 >Description: The patch applied at 4 Jul 2003 [1] from http://www.freebsd.org/cgi/query-pr.cgi?pr=53624 will not work in current and might never have worked the way it should and is documented. The problem is that #ifdef IPSEC in sys/netinet/ip_fw2.c will never match because opt_ipsec.h is never included. Further more because only the check in the verify path (ipfw_chk) is #ifdef'ed and not the path where the rules get checked before insertion (check_ipfw_struct) __there will be no complaints when adding a rule with ipsec option__ ! [1] http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_fw2.c.diff?r1=1.33&r2=1.34 >How-To-Repeat: add a rule that should match all traffic with ipsec history with log option at appropriate place in your ruleset; s.th. like: ipfw add ... log ip from any to any ipsec there will be no match logged; alternatively you may simply grep for ipsec_gethist in ip_fw2.o; this also will not find a match though it should be in there. >Fix: this patch has been verified to make O_IPSEC work for me with IPSEC; it has not been verified to work with FAST_IPSEC. additionaly one may also add s.th. like #if defined(IPSEC) || defined(FAST_IPSEC) for O_IPSEC in check_ipfw_struct(). --- sys/netinet/ip_fw2.c.orig Mon Nov 3 18:24:57 2003 +++ sys/netinet/ip_fw2.c Mon Nov 3 20:47:58 2003 @@ -37,6 +37,7 @@ #include "opt_ipdn.h" #include "opt_ipdivert.h" #include "opt_inet.h" +#include "opt_ipsec.h" #ifndef INET #error IPFIREWALL requires INET. #endif /* INET */