[fix] ipfw2 ipsec history option not working

Ari Suutari ari.suutari at syncrontech.com
Mon Nov 3 22:52:33 PST 2003 

Wow ! 

The initial patch I submitted must have been
incomplete somehow, because I really tested this thing
on -current. 

The reason might be that the first patch didn't include 
#ifdef IPSEC at all. Then someone (maybe me on another machine...)
who tested it complained
about kernel not compiling without IPSEC - and I added
the #ifdef IPSEC without testing it 'since it was such a small
change'.

Please someone, commit the suggested patch. Also, 
if these changes have gone to 4.9, it might be good to
include this fix for RELENG_4_9 since it is security related.

	Ari S.

On Tuesday 04 November 2003 00:08, Bjoern A. Zeeb wrote:
> >Submitter-Id:	current-users
> >Originator:	Bjoern A. Zeeb
> >Organization:	Zabbadoz.NeT
> >Confidential:	no
> >Synopsis:	[fix] ipfw2 ipsec history option not working
> >Severity:	critical
> >Priority:	high
> >Category:	kern
> >Class:		sw-bug
> >Release:	5.1-CURRENT i386
> >Environment:
>
> FreeBSD noc.int.zabbadoz.net 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Sat Sep 20
> 22:19:04 UTC 2003    
> bz at noc.int.zabbadoz.net:/export/src/src/obj/export/src/src/HEAD/compile-200
>30920-2028/sys/ZAB2-2003092001  i386
>
> >Description:
>
> 	The patch applied at 4 Jul 2003 [1]
> 	from http://www.freebsd.org/cgi/query-pr.cgi?pr=53624
> 	will not work in current and might never have worked
> 	the way it should and is documented.
>
> 	The problem is that #ifdef IPSEC in sys/netinet/ip_fw2.c
> 	will never match because opt_ipsec.h is never included.
>
> 	Further more because only the check in the verify
> 	path (ipfw_chk) is #ifdef'ed and not the path where
> 	the rules get checked before insertion (check_ipfw_struct)
> 	   __there will be no complaints when
> 	     adding a rule with ipsec option__ !
>
> 	[1]
> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_fw2.c.diff?r1=1.33
>&r2=1.34
>
> >How-To-Repeat:
>
> 	add a rule that should match all traffic with
> 	ipsec history with log option at appropriate place
> 	in your ruleset; s.th. like:
>
> 	ipfw add ... log ip from any to any ipsec
>
> 	there will be no match logged;
>
>
> 	alternatively you may simply grep for ipsec_gethist
> 	in ip_fw2.o; this also will not find a match though it
> 	should be in there.
>
> >Fix:
>
> 	this patch has been verified to make O_IPSEC work
> 	for me with IPSEC; it has not been verified to work
> 	with FAST_IPSEC.
>
> 	additionaly one may also add s.th. like
> 	#if defined(IPSEC) || defined(FAST_IPSEC)
> 	for O_IPSEC in check_ipfw_struct().
>
>
> --- sys/netinet/ip_fw2.c.orig	Mon Nov  3 18:24:57 2003
> +++ sys/netinet/ip_fw2.c	Mon Nov  3 20:47:58 2003
> @@ -37,6 +37,7 @@
>  #include "opt_ipdn.h"
>  #include "opt_ipdivert.h"
>  #include "opt_inet.h"
> +#include "opt_ipsec.h"
>  #ifndef INET
>  #error IPFIREWALL requires INET.
>  #endif /* INET */

More information about the freebsd-ipfw mailing list