Skip site navigation (1)Skip section navigation (2)
Date:      Mon,  3 Nov 2003 22:08:24 +0000 (UTC)
From:      "Bjoern A. Zeeb" <>
Subject:   [fix] ipfw2 ipsec history option not working
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help

>Submitter-Id:	current-users
>Originator:	Bjoern A. Zeeb
>Organization:	Zabbadoz.NeT
>Confidential:	no
>Synopsis:	[fix] ipfw2 ipsec history option not working
>Severity:	critical
>Priority:	high
>Category:	kern
>Class:		sw-bug
>Release:	5.1-CURRENT i386
FreeBSD 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Sat Sep 20 22:19:04 UTC 2003  i386


	The patch applied at 4 Jul 2003 [1]
	will not work in current and might never have worked
	the way it should and is documented.

	The problem is that #ifdef IPSEC in sys/netinet/ip_fw2.c
	will never match because opt_ipsec.h is never included.

	Further more because only the check in the verify
	path (ipfw_chk) is #ifdef'ed and not the path where
	the rules get checked before insertion (check_ipfw_struct)
	   __there will be no complaints when
	     adding a rule with ipsec option__ !



	add a rule that should match all traffic with
	ipsec history with log option at appropriate place
	in your ruleset; like:

	ipfw add ... log ip from any to any ipsec

	there will be no match logged;

	alternatively you may simply grep for ipsec_gethist
	in ip_fw2.o; this also will not find a match though it
	should be in there.

	this patch has been verified to make O_IPSEC work
	for me with IPSEC; it has not been verified to work

	additionaly one may also add like
	#if defined(IPSEC) || defined(FAST_IPSEC)
	for O_IPSEC in check_ipfw_struct().

--- sys/netinet/ip_fw2.c.orig	Mon Nov  3 18:24:57 2003
+++ sys/netinet/ip_fw2.c	Mon Nov  3 20:47:58 2003
@@ -37,6 +37,7 @@
 #include "opt_ipdn.h"
 #include "opt_ipdivert.h"
 #include "opt_inet.h"
+#include "opt_ipsec.h"
 #ifndef INET
 #error IPFIREWALL requires INET.
 #endif /* INET */

Want to link to this message? Use this URL: <>