[fix] ipfw2 ipsec history option not working

Bjoern A. Zeeb bzeeb+freebsd at zabbadoz.net
Mon Nov 3 14:10:12 PST 2003 

>Submitter-Id:	current-users
>Originator:	Bjoern A. Zeeb
>Organization:	Zabbadoz.NeT
>Confidential:	no
>Synopsis:	[fix] ipfw2 ipsec history option not working
>Severity:	critical
>Priority:	high
>Category:	kern
>Class:		sw-bug
>Release:	5.1-CURRENT i386
>Environment:
FreeBSD noc.int.zabbadoz.net 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Sat Sep 20 22:19:04 UTC 2003     bz at noc.int.zabbadoz.net:/export/src/src/obj/export/src/src/HEAD/compile-20030920-2028/sys/ZAB2-2003092001  i386

>Description:

	The patch applied at 4 Jul 2003 [1]
	from http://www.freebsd.org/cgi/query-pr.cgi?pr=53624
	will not work in current and might never have worked
	the way it should and is documented.

	The problem is that #ifdef IPSEC in sys/netinet/ip_fw2.c
	will never match because opt_ipsec.h is never included.

	Further more because only the check in the verify
	path (ipfw_chk) is #ifdef'ed and not the path where
	the rules get checked before insertion (check_ipfw_struct)
	   __there will be no complaints when
	     adding a rule with ipsec option__ !

	[1] http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_fw2.c.diff?r1=1.33&r2=1.34

>How-To-Repeat:

	add a rule that should match all traffic with
	ipsec history with log option at appropriate place
	in your ruleset; s.th. like:

	ipfw add ... log ip from any to any ipsec

	there will be no match logged;


	alternatively you may simply grep for ipsec_gethist
	in ip_fw2.o; this also will not find a match though it
	should be in there.


>Fix:
	this patch has been verified to make O_IPSEC work
	for me with IPSEC; it has not been verified to work
	with FAST_IPSEC.

	additionaly one may also add s.th. like
	#if defined(IPSEC) || defined(FAST_IPSEC)
	for O_IPSEC in check_ipfw_struct().


--- sys/netinet/ip_fw2.c.orig	Mon Nov  3 18:24:57 2003
+++ sys/netinet/ip_fw2.c	Mon Nov  3 20:47:58 2003
@@ -37,6 +37,7 @@
 #include "opt_ipdn.h"
 #include "opt_ipdivert.h"
 #include "opt_inet.h"
+#include "opt_ipsec.h"
 #ifndef INET
 #error IPFIREWALL requires INET.
 #endif /* INET */

More information about the freebsd-ipfw mailing list