Date: Mon, 1 Jan 2007 14:48:12 +0700 (KRAT) From: Eugene Grosbein <eugen@grosbein.pp.ru> To: FreeBSD-gnats-submit@FreeBSD.org Cc: bms@FreeBSD.org Subject: bin/107392: [patch] setkey does not recognize esp as protocol name for spdadd Message-ID: <200701010748.l017mC48048765@nkz.delikates-nk.ru> Resent-Message-ID: <200701010820.l018KFKh032662@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 107392
>Category: bin
>Synopsis: [patch] setkey does not recognize esp as protocol name for spdadd
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Jan 01 08:20:13 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Eugene Grosbein
>Release: FreeBSD 6.1-STABLE i386
>Organization:
Svyaz Service JSC
>Environment:
System: FreeBSD nkz.delikates-nk.ru 6.1-STABLE FreeBSD 6.1-STABLE #1: Thu Sep 7 13:31:53 KRAST 2006 root@nkz.delikates-nk.ru:/home/obj/home/src/sys/NKZ i386
>Description:
This PR is very similar to bin/63616 and the fix
is nearly identical. The following spdadd line cannot be
parsed by setkey(8) currently:
spdadd 1.1.1.1/32 2.2.2.2/32 esp -P out none;
However, such functionality is required as workaround
for a kernel desing problem: if outgoing packet encrypted with IPSEC
is passed to the TCP/IP stack second time with IPDIVERT
of DUMMYNET (when net.inet.ip.fw.one_pass=0), it may be
encrypted with IPSEC second time that breaks PMTUD.
See kern/103135 for details.
The spdadd line shown above prevents IPSEC from this logic error
and presents a workaround. But setkey does not parse this.
>How-To-Repeat:
Try to process spdadd shown above with setkey(8).
>Fix:
This patch is very like parse.y,1.5 that fixed the same issue for tcp.
parse.y is located in sbin/setkey/ for recent versions
and the same file is in usr.sbin/setkey/ for RELENG_4.
--- parse.y.orig Mon Jan 1 14:31:55 2007
+++ parse.y Mon Jan 1 14:32:04 2007
@@ -683,6 +683,7 @@
: DECSTRING { $$ = $1; }
| ANY { $$ = IPSEC_ULPROTO_ANY; }
| PR_TCP { $$ = IPPROTO_TCP; }
+ | PR_ESP { $$ = IPPROTO_ESP; }
| STRING
{
struct protoent *ent;
I'd be glad to see this trivial patch backported
to RELENG_5 and RELENG_4 :-)
Eugene Grosbein
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701010748.l017mC48048765>