From sa@nkz.delikates-nk.ru  Mon Jan  1 08:12:38 2007
Return-Path: <sa@nkz.delikates-nk.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 39ADE16A407;
	Mon,  1 Jan 2007 08:12:38 +0000 (UTC)
	(envelope-from sa@nkz.delikates-nk.ru)
Received: from nkz.delikates-nk.ru (nkz.delikates-nk.ru [81.16.143.102])
	by mx1.freebsd.org (Postfix) with ESMTP id 8326D13C465;
	Mon,  1 Jan 2007 08:12:37 +0000 (UTC)
	(envelope-from sa@nkz.delikates-nk.ru)
Received: from nkz.delikates-nk.ru (localhost [127.0.0.1])
	by nkz.delikates-nk.ru (8.13.8/8.13.8) with ESMTP id l017mDef048766;
	Mon, 1 Jan 2007 14:48:13 +0700 (KRAT)
	(envelope-from sa@nkz.delikates-nk.ru)
Received: (from root@localhost)
	by nkz.delikates-nk.ru (8.13.8/8.13.8/Submit) id l017mC48048765;
	Mon, 1 Jan 2007 14:48:12 +0700 (KRAT)
	(envelope-from sa)
Message-Id: <200701010748.l017mC48048765@nkz.delikates-nk.ru>
Date: Mon, 1 Jan 2007 14:48:12 +0700 (KRAT)
From: Eugene Grosbein <eugen@grosbein.pp.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc: bms@freebsd.org
Subject: [patch] setkey does not recognize esp as protocol name for spdadd
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         107392
>Category:       bin
>Synopsis:       [patch] setkey(8) does not recognize esp as protocol name for spdadd
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    gnn
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 01 08:20:13 GMT 2007
>Closed-Date:    Tue Feb 26 09:44:54 UTC 2008
>Last-Modified:  Tue Feb 26 09:44:54 UTC 2008
>Originator:     Eugene Grosbein
>Release:        FreeBSD 6.1-STABLE i386
>Organization:
Svyaz Service JSC
>Environment:
System: FreeBSD nkz.delikates-nk.ru 6.1-STABLE FreeBSD 6.1-STABLE #1: Thu Sep 7 13:31:53 KRAST 2006 root@nkz.delikates-nk.ru:/home/obj/home/src/sys/NKZ i386

>Description:
	This PR is very similar to bin/63616 and the fix
	is nearly identical. The following spdadd line cannot be
	parsed by setkey(8) currently:

spdadd 1.1.1.1/32 2.2.2.2/32 esp -P out none;

	However, such functionality is required as workaround
	for a kernel desing problem: if outgoing packet encrypted with IPSEC
	is passed to the TCP/IP stack second time with IPDIVERT
	of DUMMYNET (when net.inet.ip.fw.one_pass=0), it may be
	encrypted with IPSEC second time that breaks PMTUD.
	See kern/103135 for details.

	The spdadd line shown above prevents IPSEC from this logic error
	and presents a workaround. But setkey does not parse this.

>How-To-Repeat:

	Try to process spdadd shown above with setkey(8).

>Fix:

	This patch is very like parse.y,1.5 that fixed the same issue for tcp.
	parse.y is located in sbin/setkey/ for recent versions
	and the same file is in usr.sbin/setkey/ for RELENG_4.

--- parse.y.orig	Mon Jan  1 14:31:55 2007
+++ parse.y	Mon Jan  1 14:32:04 2007
@@ -683,6 +683,7 @@
 	:	DECSTRING { $$ = $1; }
 	|	ANY { $$ = IPSEC_ULPROTO_ANY; }
 	|	PR_TCP { $$ = IPPROTO_TCP; }
+	|	PR_ESP { $$ = IPPROTO_ESP; }
 	|	STRING
 		{
 			struct protoent *ent;


	I'd be glad to see this trivial patch backported
	to RELENG_5 and RELENG_4 :-)

Eugene Grosbein
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->gnn 
Responsible-Changed-By: remko 
Responsible-Changed-When: Mon Jan 1 11:45:38 UTC 2007 
Responsible-Changed-Why:  
George, i think you know most about our IPSEC code, can you have a look 
at this please? There is a patch included which might be what we are 
looking for. Thanks in advance! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=107392 
State-Changed-From-To: open->patched 
State-Changed-By: maxim 
State-Changed-When: Sat Jan 12 20:00:25 UTC 2008 
State-Changed-Why:  
Committed to HEAD.  Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=107392 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/107392: commit references a PR
Date: Sat, 12 Jan 2008 20:00:31 +0000 (UTC)

 maxim       2008-01-12 20:00:24 UTC
 
   FreeBSD src repository
 
   Modified files:
     sbin/setkey          parse.y 
   Log:
   o Allow setkey(8) to recognize esp as a protocoal name for spdadd.
   
   PR:             bin/107392
   Submitted by:   Eugene Grosbein
   MFC after:      1 month
   
   Revision  Changes    Path
   1.11      +1 -0      src/sbin/setkey/parse.y
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 

From: Eugene Grosbein <eugen@grosbein.pp.ru>
To: bug-followup@freebsd.org
Cc: maxim@freebsd.org, gnn@freebsd.org
Subject: Re: bin/107392: [patch] setkey(8) does not recognize esp as protocol name for spdadd
Date: Sat, 23 Feb 2008 16:39:25 +0700

 Hi!
 
 Wasn't 5+ weeks enough testing period for this PR and trivial patch?
 Please perform MFC to RELENG_6/7 :-)
 
 http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/107392
 
 Eugene Grosbein

From: Maxim Konovalov <maxim@macomnet.ru>
To: Eugene Grosbein <eugen@grosbein.pp.ru>
Cc: bug-followup@FreeBSD.ORG
Subject: Re: bin/107392: [patch] setkey(8) does not recognize esp as protocol
 name for spdadd
Date: Sat, 23 Feb 2008 21:02:25 +0300 (MSK)

 On Sat, 23 Feb 2008, 16:39+0700, Eugene Grosbein wrote:
 
 > Hi!
 >
 > Wasn't 5+ weeks enough testing period for this PR and trivial patch?
 > Please perform MFC to RELENG_6/7 :-)
 >
 > http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/107392
 >
 I will merge this to RELENG_6/7 when I get a free time slice.  No
 needs to push me.
 
 -- 
 Maxim Konovalov
State-Changed-From-To: patched->closed 
State-Changed-By: maxim 
State-Changed-When: Tue Feb 26 09:41:00 UTC 2008 
State-Changed-Why:  
Merged to RELENG_6 and RELENG_7. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=107392 
>Unformatted:
