From eugen@grosbein.pp.ru  Sun May 11 08:02:20 2008
Return-Path: <eugen@grosbein.pp.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 806D51065671
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 11 May 2008 08:02:20 +0000 (UTC)
	(envelope-from eugen@grosbein.pp.ru)
Received: from grosbein.pp.ru (grgw.svzserv.kemerovo.su [213.184.64.166])
	by mx1.freebsd.org (Postfix) with ESMTP id CD53A8FC13
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 11 May 2008 08:02:18 +0000 (UTC)
	(envelope-from eugen@grosbein.pp.ru)
Received: from grosbein.pp.ru (localhost [127.0.0.1])
	by grosbein.pp.ru (8.14.2/8.14.2) with ESMTP id m4B82BjP002164
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 11 May 2008 16:02:11 +0800 (KRAST)
	(envelope-from eugen@grosbein.pp.ru)
Received: (from eugen@localhost)
	by grosbein.pp.ru (8.14.2/8.14.2/Submit) id m4B82BSl002163;
	Sun, 11 May 2008 16:02:11 +0800 (KRAST)
	(envelope-from eugen)
Message-Id: <200805110802.m4B82BSl002163@grosbein.pp.ru>
Date: Sun, 11 May 2008 16:02:11 +0800 (KRAST)
From: Eugene Grosbein <eugen@grosbein.pp.ru>
Reply-To: Eugene Grosbein <eugen@grosbein.pp.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [ipsec] IPCOMP broken in IPSEC (FAST_IPSEC for RELENG_6)
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         123587
>Category:       kern
>Synopsis:       [ipsec] IPCOMP broken in IPSEC (FAST_IPSEC for RELENG_6)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bz
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 11 08:10:00 UTC 2008
>Closed-Date:    Mon Jan 04 15:31:13 UTC 2010
>Last-Modified:  Mon Jan  4 15:40:01 UTC 2010
>Originator:     Eugene Grosbein
>Release:        FreeBSD 7.0-STABLE i386
>Organization:
Svyaz-Service JSC
>Environment:
System: FreeBSD grosbein.pp.ru 7.0-STABLE FreeBSD 7.0-STABLE #5: Sat May 3 17:45:36 KRAST 2008 eu@grosbein.pp.ru:/usr/local/obj/usr/local/obj/src/sys/DADV i386

>Description:

	In RELENG_6, old-fashoned IPSEC implementation works nice
	with IPCOMP protocol used to compress traffic.

	IPCOMP fails to work in both of RELENG_7 and RELENG_6 with FAST_IPSEC.

>How-To-Repeat:

	Let's take two FreeBSD boxes, one is 10.58.0.11/24,
	other is 10.58.0.22/24. Without IPSEC policy loaded,
	they ping each other without a problem

	Here is /etc/ipsec.conf for IPSEC transport mode, static keys:

flush;
spdflush;

add 10.58.0.22 10.58.0.11 ipcomp 1111 -C deflate;      
add 10.58.0.22 10.58.0.11 esp 1111 -m transport -E blowfish-cbc "xxxxxxxx";
add 10.58.0.11 10.58.0.22 ipcomp 2111 -C deflate;      
add 10.58.0.11 10.58.0.22 esp 2111 -m transport -E blowfish-cbc "yyyyyyyy";

spdadd 10.58.0.22/32 10.58.0.11/32 any -P out ipsec      
  ipcomp/transport//require esp/transport//require;
spdadd 10.58.0.11/32 10.58.0.22/32 any -P in  ipsec      
  ipcomp/transport//require esp/transport//require;

	After 'setkey -f /etc/ipsec.conf', ping 10.58.0.22 says:

ping: sendto: No route to host

	The problem disappears if we remove remove 'ipcomp/transport//require',
	disabling IPCOMP completly. The problem does not exists for
	RELENG_6 with old "options IPSEC/IPSEC_ESP" in a kernel.

>Fix:

	Unknown.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Sun May 11 10:32:51 UTC 2008 
Responsible-Changed-Why:  
Pretend to feel interested in fixing this one day. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123587 

From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To: Eugene Grosbein <eugen@grosbein.pp.ru>
Cc: FreeBSD-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org
Subject: Re: kern/123587: [ipsec] IPCOMP broken in IPSEC (FAST_IPSEC for
 RELENG_6)
Date: Sun, 11 May 2008 10:32:25 +0000 (UTC)

 Hi,
 
 just FYI:
 
 man ipsec, in teh BUGS section, says:
 
 "     The IPcomp protocol support is currently broken."
 
 so, this is a well known problem and on someone's TODO list, which is
 probably way too long. Feel free to prived a patch to fix the problem.
 
 

From: Eugene Grosbein <eugen@grosbein.pp.ru>
To: bug-followup@freebsd.org
Cc: bz@freebsd.org
Subject: Re:kern/123587: [ipsec] IPCOMP broken in IPSEC (FAST_IPSEC for RELENG_6)
Date: Sun, 11 May 2008 22:27:17 +0800

 > Pretend to feel interested in fixing this one day
 
 If you have no intent to deal with the problem in the near future,
 why have you changed 'Responsible'? This will lower the possibility
 for another developer to take the PR, won't it?
 
 Eugene Grosbein

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/123587: commit references a PR
Date: Sun, 29 Nov 2009 10:53:48 +0000 (UTC)

 Author: bz
 Date: Sun Nov 29 10:53:34 2009
 New Revision: 199899
 URL: http://svn.freebsd.org/changeset/base/199899
 
 Log:
   Only add the IPcomp header if crypto reported success and we have a lower
   payload size.  Before we had always added the header, no matter if we
   actually send out compressed data or not.
   
   With this, after the opencrypto/deflate changes, IPcomp starts to work
   apart from edge cases.  Leave it disabled by default until those are
   fixed as well.
   
   PR:		kern/123587
   MFC after:	5 days
 
 Modified:
   head/sys/netipsec/xform_ipcomp.c
 
 Modified: head/sys/netipsec/xform_ipcomp.c
 ==============================================================================
 --- head/sys/netipsec/xform_ipcomp.c	Sat Nov 28 23:50:48 2009	(r199898)
 +++ head/sys/netipsec/xform_ipcomp.c	Sun Nov 29 10:53:34 2009	(r199899)
 @@ -330,13 +330,10 @@ ipcomp_output(
  {
  	struct secasvar *sav;
  	struct comp_algo *ipcompx;
 -	int error, ralen, hlen, maxpacketsize, roff;
 -	u_int8_t prot;
 +	int error, ralen, maxpacketsize;
  	struct cryptodesc *crdc;
  	struct cryptop *crp;
  	struct tdb_crypto *tc;
 -	struct mbuf *mo;
 -	struct ipcomp *ipcomp;
  
  	sav = isr->sav;
  	IPSEC_ASSERT(sav != NULL, ("null SA"));
 @@ -355,8 +352,6 @@ ipcomp_output(
  	}
  
  	ralen = m->m_pkthdr.len - skip;	/* Raw payload length before comp. */
 -	hlen = IPCOMP_HLENGTH;
 -
  	V_ipcompstat.ipcomps_output++;
  
  	/* Check for maximum packet size violations. */
 @@ -381,13 +376,13 @@ ipcomp_output(
  		error = EPFNOSUPPORT;
  		goto bad;
  	}
 -	if (skip + hlen + ralen > maxpacketsize) {
 +	if (ralen + skip + IPCOMP_HLENGTH > maxpacketsize) {
  		V_ipcompstat.ipcomps_toobig++;
  		DPRINTF(("%s: packet in IPCA %s/%08lx got too big "
  		    "(len %u, max len %u)\n", __func__,
  		    ipsec_address(&sav->sah->saidx.dst),
  		    (u_long) ntohl(sav->spi),
 -		    skip + hlen + ralen, maxpacketsize));
 +		    ralen + skip + IPCOMP_HLENGTH, maxpacketsize));
  		error = EMSGSIZE;
  		goto bad;
  	}
 @@ -405,40 +400,7 @@ ipcomp_output(
  		goto bad;
  	}
  
 -	/* Inject IPCOMP header */
 -	mo = m_makespace(m, skip, hlen, &roff);
 -	if (mo == NULL) {
 -		V_ipcompstat.ipcomps_wrap++;
 -		DPRINTF(("%s: IPCOMP header inject failed for IPCA %s/%08lx\n",
 -		    __func__, ipsec_address(&sav->sah->saidx.dst),
 -		    (u_long) ntohl(sav->spi)));
 -		error = ENOBUFS;
 -		goto bad;
 -	}
 -	ipcomp = (struct ipcomp *)(mtod(mo, caddr_t) + roff);
 -
 -	/* Initialize the IPCOMP header */
 -	/* XXX alignment always correct? */
 -	switch (sav->sah->saidx.dst.sa.sa_family) {
 -#ifdef INET
 -	case AF_INET:
 -		ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p;
 -		break;
 -#endif /* INET */
 -#ifdef INET6
 -	case AF_INET6:
 -		ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt;
 -		break;
 -#endif
 -	}
 -	ipcomp->comp_flags = 0;
 -	ipcomp->comp_cpi = htons((u_int16_t) ntohl(sav->spi));
 -
 -	/* Fix Next Protocol in IPv4/IPv6 header */
 -	prot = IPPROTO_IPCOMP;
 -	m_copyback(m, protoff, sizeof(u_int8_t), (u_char *) &prot);
 -
 -	/* Ok now, we can pass to the crypto processing */
 +	/* Ok now, we can pass to the crypto processing. */
  
  	/* Get crypto descriptors */
  	crp = crypto_getreq(1);
 @@ -451,10 +413,10 @@ ipcomp_output(
  	crdc = crp->crp_desc;
  
  	/* Compression descriptor */
 -	crdc->crd_skip = skip + hlen;
 -	crdc->crd_len = m->m_pkthdr.len - (skip + hlen);
 +	crdc->crd_skip = skip;
 +	crdc->crd_len = ralen;
  	crdc->crd_flags = CRD_F_COMP;
 -	crdc->crd_inject = skip + hlen;
 +	crdc->crd_inject = skip;
  
  	/* Compression operation */
  	crdc->crd_alg = ipcompx->type;
 @@ -474,7 +436,8 @@ ipcomp_output(
  	tc->tc_spi = sav->spi;
  	tc->tc_dst = sav->sah->saidx.dst;
  	tc->tc_proto = sav->sah->saidx.proto;
 -	tc->tc_skip = skip + hlen;
 +	tc->tc_protoff = protoff;
 +	tc->tc_skip = skip;
  
  	/* Crypto operation descriptor */
  	crp->crp_ilen = m->m_pkthdr.len;	/* Total input length */
 @@ -501,13 +464,12 @@ ipcomp_output_cb(struct cryptop *crp)
  	struct ipsecrequest *isr;
  	struct secasvar *sav;
  	struct mbuf *m;
 -	int error, skip, rlen;
 +	int error, skip;
  
  	tc = (struct tdb_crypto *) crp->crp_opaque;
  	IPSEC_ASSERT(tc != NULL, ("null opaque data area!"));
  	m = (struct mbuf *) crp->crp_buf;
  	skip = tc->tc_skip;
 -	rlen = crp->crp_ilen - skip;
  
  	isr = tc->tc_isr;
  	IPSECREQUEST_LOCK(isr);
 @@ -529,8 +491,7 @@ ipcomp_output_cb(struct cryptop *crp)
  		if (crp->crp_etype == EAGAIN) {
  			KEY_FREESAV(&sav);
  			IPSECREQUEST_UNLOCK(isr);
 -			error = crypto_dispatch(crp);
 -			return error;
 +			return crypto_dispatch(crp);
  		}
  		V_ipcompstat.ipcomps_noxform++;
  		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
 @@ -546,7 +507,46 @@ ipcomp_output_cb(struct cryptop *crp)
  	}
  	V_ipcompstat.ipcomps_hist[sav->alg_comp]++;
  
 -	if (rlen > crp->crp_olen) {
 +	if (crp->crp_ilen - skip > crp->crp_olen) {
 +		struct mbuf *mo;
 +		struct ipcomp *ipcomp;
 +		int roff;
 +		uint8_t prot;
 +
 +		/* Compression helped, inject IPCOMP header. */
 +		mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff);
 +		if (mo == NULL) {
 +			V_ipcompstat.ipcomps_wrap++;
 +			DPRINTF(("%s: IPCOMP header inject failed for IPCA %s/%08lx\n",
 +			    __func__, ipsec_address(&sav->sah->saidx.dst),
 +			    (u_long) ntohl(sav->spi)));
 +			error = ENOBUFS;
 +			goto bad;
 +		}
 +		ipcomp = (struct ipcomp *)(mtod(mo, caddr_t) + roff);
 +
 +		/* Initialize the IPCOMP header */
 +		/* XXX alignment always correct? */
 +		switch (sav->sah->saidx.dst.sa.sa_family) {
 +#ifdef INET
 +		case AF_INET:
 +			ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p;
 +			break;
 +#endif /* INET */
 +#ifdef INET6
 +		case AF_INET6:
 +			ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt;
 +			break;
 +#endif
 +		}
 +		ipcomp->comp_flags = 0;
 +		ipcomp->comp_cpi = htons((u_int16_t) ntohl(sav->spi));
 +
 +		/* Fix Next Protocol in IPv4/IPv6 header */
 +		prot = IPPROTO_IPCOMP;
 +		m_copyback(m, tc->tc_protoff, sizeof(u_int8_t),
 +		    (u_char *)&prot);
 +
  		/* Adjust the length in the IP header */
  		switch (sav->sah->saidx.dst.sa.sa_family) {
  #ifdef INET
 @@ -573,6 +573,8 @@ ipcomp_output_cb(struct cryptop *crp)
  	} else {
  		/* compression was useless, we have lost time */
  		/* XXX add statistic */
 +		/* XXX remember state to not compress the next couple
 +		 *     of packets, RFC 3173, 2.2. Non-Expansion Policy */
  	}
  
  	/* Release the crypto descriptor */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/123587: commit references a PR
Date: Sun, 29 Nov 2009 20:47:58 +0000 (UTC)

 Author: bz
 Date: Sun Nov 29 20:47:43 2009
 New Revision: 199947
 URL: http://svn.freebsd.org/changeset/base/199947
 
 Log:
   Enable IPcomp by default.
   
   PR:		kern/123587
   MFC after:	5 days
 
 Modified:
   head/share/man/man4/ipsec.4
   head/sys/netipsec/xform_ipcomp.c
 
 Modified: head/share/man/man4/ipsec.4
 ==============================================================================
 --- head/share/man/man4/ipsec.4	Sun Nov 29 20:37:30 2009	(r199946)
 +++ head/share/man/man4/ipsec.4	Sun Nov 29 20:47:43 2009	(r199947)
 @@ -29,7 +29,7 @@
  .\"
  .\" $FreeBSD$
  .\"
 -.Dd May 23, 2009
 +.Dd November 29, 2009
  .Dt IPSEC 4
  .Os
  .Sh NAME
 @@ -215,7 +215,7 @@ To selectively enable/disable protocols,
  .It Sy "Name	Default"
  .It "net.inet.esp.esp_enable	On"
  .It "net.inet.ah.ah_enable	On"
 -.It "net.inet.ipcomp.ipcomp_enable	Off"
 +.It "net.inet.ipcomp.ipcomp_enable	On"
  .El
  .Pp
  In addition the following variables are accessible via
 @@ -408,6 +408,8 @@ size may alleviate this problem.
  .Pp
  The
  .Tn IPcomp
 -protocol support is currently broken.
 +protocol may occationally error because of
 +.Xr zlib 3
 +problems.
  .Pp
  This documentation needs more review.
 
 Modified: head/sys/netipsec/xform_ipcomp.c
 ==============================================================================
 --- head/sys/netipsec/xform_ipcomp.c	Sun Nov 29 20:37:30 2009	(r199946)
 +++ head/sys/netipsec/xform_ipcomp.c	Sun Nov 29 20:47:43 2009	(r199947)
 @@ -68,7 +68,7 @@
  #include <opencrypto/deflate.h>
  #include <opencrypto/xform.h>
  
 -VNET_DEFINE(int, ipcomp_enable) = 0;
 +VNET_DEFINE(int, ipcomp_enable) = 1;
  VNET_DEFINE(struct ipcompstat, ipcompstat);
  
  SYSCTL_DECL(_net_inet_ipcomp);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: bz 
State-Changed-When: Sun Nov 29 20:53:11 UTC 2009 
State-Changed-Why:  
HEAD now supports IPComp as good as zlib does. 
I'll prepare MFC patches to test now. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123587 

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, eugen@grosbein.pp.ru
Cc:  
Subject: Re: kern/123587: [ipsec] IPCOMP broken in IPSEC (FAST_IPSEC for
 RELENG_6)
Date: Sun, 29 Nov 2009 22:37:37 +0000 (UTC)

 Hi,
 
 you can find a patch for stable/8 here:
  	http://people.freebsd.org/~bz/20091129-04-ipcomp-mfc8.diff
 
 I'll try to produce one for at least stable/7 as well the next days.
 
 Note that there are occasional errors returned from deflate_global().
 I have only seen them at the end with ~3000 bytes of the same
 character as payload to an ICMP echo reply.  Nevertheless they exist.
 
 The only way to fix that would be updating sys/net/zlib.? as well.
 There is a patch for this here (for HEAD but should equally apply to
 all other branches):
  	http://people.freebsd.org/~bz/20091129-03-net-zlib.diff
 It will help xform_ipcomp but it may break at least ng_deflate()
 (even more).
 
 There will be work to fix this but if you can confirm that ipcomp
 works for you with this, that would be fantastic:)
 
 /bz
 
 -- 
 Bjoern A. Zeeb         It will not break if you know what you are doing.

From: Eugene Grosbein <eugen@grosbein.pp.ru>
To: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/123587: [ipsec] IPCOMP broken in IPSEC (FAST_IPSEC for RELENG_6)
Date: Wed, 02 Dec 2009 00:10:30 +0700

 Hi!
 
 I took two 8.0-STABLE systems built from the same sources.
 Both have 'options IPSEC' and 'device crypto' in kernel config.
 They are in the same 100Mbit ethernet broadcast segment, MTU=1500.
 
 Applied http://people.freebsd.org/~bz/20091129-04-ipcomp-mfc8.diff only,
 rebuilt and reinstalled kernels and rebooted systems.
 
 Without IPSEC, both hosts ping each other just fine.
 Applied IPSEC configuration explained in the PR (symmetricaly, 16-chars
 length keys).
 
 Note1: 10.58.0.11 has onboard:
 glxsb0: <AMD Geode LX Security Block (AES-128-CBC, RNG)> mem
 0xef010000-0xef013fff at device 1.2 on pci0
 
 10.58.0.22 has no crypto hardware.
 
 Note2: 10.58.0.22 runs INVARIANTS/WITHNESS-enabled kernel.
 
 I run from 10.58.0.22:
 
 # ping -q -i 0.01 -g 0 -G 4000 -S 10.58.0.22 10.58.0.11
 PING 10.58.0.11 (10.58.0.11) from 10.58.0.22: (0 ... 4000) data bytes
 
 It starts to ping just fine.
 
 While ping runs, I run at 10.58.0.11:
 
 # tcpdump -s0 -np -i vr0 -E 'file keys.txt' host 10.58.0.11
 22:29:07.580703 IP 10.58.0.11 > 10.58.0.22:
 ESP(spi=0x0000083f,seq=0x2c0d), length 96: IPComp(cpi=0x083f)
 22:29:07.601933 IP 10.58.0.22 > 10.58.0.11:
 ESP(spi=0x00000457,seq=0x1c2d), length 96: IPComp(cpi=0x0457)
 22:29:07.602750 IP 10.58.0.11 > 10.58.0.22:
 ESP(spi=0x0000083f,seq=0x2c0e), length 96: IPComp(cpi=0x083f)
 22:29:07.623979 IP 10.58.0.22 > 10.58.0.11:
 ESP(spi=0x00000457,seq=0x1c2e), length 96: IPComp(cpi=0x0457)
 
 So, there are really ESP+IPComp packets at wire.
 
 At last, ping finished with result:
 
 --- 10.58.0.11 ping statistics ---
 4001 packets transmitted, 4001 packets received, 0.0% packet loss
 
 So far, so good :-)
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/123587: commit references a PR
Date: Sat,  5 Dec 2009 19:07:54 +0000 (UTC)

 Author: bz
 Date: Sat Dec  5 19:07:28 2009
 New Revision: 200144
 URL: http://svn.freebsd.org/changeset/base/200144
 
 Log:
   MFC r199899:
     Only add the IPcomp header if crypto reported success and we have a lower
     payload size.  Before we had always added the header, no matter if we
     actually send out compressed data or not.
   
     With this, after the opencrypto/deflate changes, IPcomp starts to work
     apart from edge cases.  Leave it disabled by default until those are
     fixed as well.
   
   PR:	kern/123587
 
 Modified:
   stable/8/sys/netipsec/xform_ipcomp.c
 Directory Properties:
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
   stable/8/sys/dev/xen/xenpci/   (props changed)
 
 Modified: stable/8/sys/netipsec/xform_ipcomp.c
 ==============================================================================
 --- stable/8/sys/netipsec/xform_ipcomp.c	Sat Dec  5 19:06:03 2009	(r200143)
 +++ stable/8/sys/netipsec/xform_ipcomp.c	Sat Dec  5 19:07:28 2009	(r200144)
 @@ -330,13 +330,10 @@ ipcomp_output(
  {
  	struct secasvar *sav;
  	struct comp_algo *ipcompx;
 -	int error, ralen, hlen, maxpacketsize, roff;
 -	u_int8_t prot;
 +	int error, ralen, maxpacketsize;
  	struct cryptodesc *crdc;
  	struct cryptop *crp;
  	struct tdb_crypto *tc;
 -	struct mbuf *mo;
 -	struct ipcomp *ipcomp;
  
  	sav = isr->sav;
  	IPSEC_ASSERT(sav != NULL, ("null SA"));
 @@ -355,8 +352,6 @@ ipcomp_output(
  	}
  
  	ralen = m->m_pkthdr.len - skip;	/* Raw payload length before comp. */
 -	hlen = IPCOMP_HLENGTH;
 -
  	V_ipcompstat.ipcomps_output++;
  
  	/* Check for maximum packet size violations. */
 @@ -381,13 +376,13 @@ ipcomp_output(
  		error = EPFNOSUPPORT;
  		goto bad;
  	}
 -	if (skip + hlen + ralen > maxpacketsize) {
 +	if (ralen + skip + IPCOMP_HLENGTH > maxpacketsize) {
  		V_ipcompstat.ipcomps_toobig++;
  		DPRINTF(("%s: packet in IPCA %s/%08lx got too big "
  		    "(len %u, max len %u)\n", __func__,
  		    ipsec_address(&sav->sah->saidx.dst),
  		    (u_long) ntohl(sav->spi),
 -		    skip + hlen + ralen, maxpacketsize));
 +		    ralen + skip + IPCOMP_HLENGTH, maxpacketsize));
  		error = EMSGSIZE;
  		goto bad;
  	}
 @@ -405,40 +400,7 @@ ipcomp_output(
  		goto bad;
  	}
  
 -	/* Inject IPCOMP header */
 -	mo = m_makespace(m, skip, hlen, &roff);
 -	if (mo == NULL) {
 -		V_ipcompstat.ipcomps_wrap++;
 -		DPRINTF(("%s: IPCOMP header inject failed for IPCA %s/%08lx\n",
 -		    __func__, ipsec_address(&sav->sah->saidx.dst),
 -		    (u_long) ntohl(sav->spi)));
 -		error = ENOBUFS;
 -		goto bad;
 -	}
 -	ipcomp = (struct ipcomp *)(mtod(mo, caddr_t) + roff);
 -
 -	/* Initialize the IPCOMP header */
 -	/* XXX alignment always correct? */
 -	switch (sav->sah->saidx.dst.sa.sa_family) {
 -#ifdef INET
 -	case AF_INET:
 -		ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p;
 -		break;
 -#endif /* INET */
 -#ifdef INET6
 -	case AF_INET6:
 -		ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt;
 -		break;
 -#endif
 -	}
 -	ipcomp->comp_flags = 0;
 -	ipcomp->comp_cpi = htons((u_int16_t) ntohl(sav->spi));
 -
 -	/* Fix Next Protocol in IPv4/IPv6 header */
 -	prot = IPPROTO_IPCOMP;
 -	m_copyback(m, protoff, sizeof(u_int8_t), (u_char *) &prot);
 -
 -	/* Ok now, we can pass to the crypto processing */
 +	/* Ok now, we can pass to the crypto processing. */
  
  	/* Get crypto descriptors */
  	crp = crypto_getreq(1);
 @@ -451,10 +413,10 @@ ipcomp_output(
  	crdc = crp->crp_desc;
  
  	/* Compression descriptor */
 -	crdc->crd_skip = skip + hlen;
 -	crdc->crd_len = m->m_pkthdr.len - (skip + hlen);
 +	crdc->crd_skip = skip;
 +	crdc->crd_len = ralen;
  	crdc->crd_flags = CRD_F_COMP;
 -	crdc->crd_inject = skip + hlen;
 +	crdc->crd_inject = skip;
  
  	/* Compression operation */
  	crdc->crd_alg = ipcompx->type;
 @@ -474,7 +436,8 @@ ipcomp_output(
  	tc->tc_spi = sav->spi;
  	tc->tc_dst = sav->sah->saidx.dst;
  	tc->tc_proto = sav->sah->saidx.proto;
 -	tc->tc_skip = skip + hlen;
 +	tc->tc_protoff = protoff;
 +	tc->tc_skip = skip;
  
  	/* Crypto operation descriptor */
  	crp->crp_ilen = m->m_pkthdr.len;	/* Total input length */
 @@ -501,13 +464,12 @@ ipcomp_output_cb(struct cryptop *crp)
  	struct ipsecrequest *isr;
  	struct secasvar *sav;
  	struct mbuf *m;
 -	int error, skip, rlen;
 +	int error, skip;
  
  	tc = (struct tdb_crypto *) crp->crp_opaque;
  	IPSEC_ASSERT(tc != NULL, ("null opaque data area!"));
  	m = (struct mbuf *) crp->crp_buf;
  	skip = tc->tc_skip;
 -	rlen = crp->crp_ilen - skip;
  
  	isr = tc->tc_isr;
  	IPSECREQUEST_LOCK(isr);
 @@ -529,8 +491,7 @@ ipcomp_output_cb(struct cryptop *crp)
  		if (crp->crp_etype == EAGAIN) {
  			KEY_FREESAV(&sav);
  			IPSECREQUEST_UNLOCK(isr);
 -			error = crypto_dispatch(crp);
 -			return error;
 +			return crypto_dispatch(crp);
  		}
  		V_ipcompstat.ipcomps_noxform++;
  		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
 @@ -546,7 +507,46 @@ ipcomp_output_cb(struct cryptop *crp)
  	}
  	V_ipcompstat.ipcomps_hist[sav->alg_comp]++;
  
 -	if (rlen > crp->crp_olen) {
 +	if (crp->crp_ilen - skip > crp->crp_olen) {
 +		struct mbuf *mo;
 +		struct ipcomp *ipcomp;
 +		int roff;
 +		uint8_t prot;
 +
 +		/* Compression helped, inject IPCOMP header. */
 +		mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff);
 +		if (mo == NULL) {
 +			V_ipcompstat.ipcomps_wrap++;
 +			DPRINTF(("%s: IPCOMP header inject failed for IPCA %s/%08lx\n",
 +			    __func__, ipsec_address(&sav->sah->saidx.dst),
 +			    (u_long) ntohl(sav->spi)));
 +			error = ENOBUFS;
 +			goto bad;
 +		}
 +		ipcomp = (struct ipcomp *)(mtod(mo, caddr_t) + roff);
 +
 +		/* Initialize the IPCOMP header */
 +		/* XXX alignment always correct? */
 +		switch (sav->sah->saidx.dst.sa.sa_family) {
 +#ifdef INET
 +		case AF_INET:
 +			ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p;
 +			break;
 +#endif /* INET */
 +#ifdef INET6
 +		case AF_INET6:
 +			ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt;
 +			break;
 +#endif
 +		}
 +		ipcomp->comp_flags = 0;
 +		ipcomp->comp_cpi = htons((u_int16_t) ntohl(sav->spi));
 +
 +		/* Fix Next Protocol in IPv4/IPv6 header */
 +		prot = IPPROTO_IPCOMP;
 +		m_copyback(m, tc->tc_protoff, sizeof(u_int8_t),
 +		    (u_char *)&prot);
 +
  		/* Adjust the length in the IP header */
  		switch (sav->sah->saidx.dst.sa.sa_family) {
  #ifdef INET
 @@ -573,6 +573,8 @@ ipcomp_output_cb(struct cryptop *crp)
  	} else {
  		/* compression was useless, we have lost time */
  		/* XXX add statistic */
 +		/* XXX remember state to not compress the next couple
 +		 *     of packets, RFC 3173, 2.2. Non-Expansion Policy */
  	}
  
  	/* Release the crypto descriptor */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/123587: commit references a PR
Date: Sat,  5 Dec 2009 19:25:43 +0000 (UTC)

 Author: bz
 Date: Sat Dec  5 19:25:29 2009
 New Revision: 200149
 URL: http://svn.freebsd.org/changeset/base/200149
 
 Log:
   MFC r199947, 199950:
     Enable IPcomp by default.
   
   PR:	kern/123587
 
 Modified:
   stable/8/share/man/man4/ipsec.4
   stable/8/sys/netipsec/xform_ipcomp.c
 Directory Properties:
   stable/8/share/man/man4/   (props changed)
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
   stable/8/sys/dev/xen/xenpci/   (props changed)
 
 Modified: stable/8/share/man/man4/ipsec.4
 ==============================================================================
 --- stable/8/share/man/man4/ipsec.4	Sat Dec  5 19:21:58 2009	(r200148)
 +++ stable/8/share/man/man4/ipsec.4	Sat Dec  5 19:25:29 2009	(r200149)
 @@ -29,7 +29,7 @@
  .\"
  .\" $FreeBSD$
  .\"
 -.Dd May 23, 2009
 +.Dd November 29, 2009
  .Dt IPSEC 4
  .Os
  .Sh NAME
 @@ -215,7 +215,7 @@ To selectively enable/disable protocols,
  .It Sy "Name	Default"
  .It "net.inet.esp.esp_enable	On"
  .It "net.inet.ah.ah_enable	On"
 -.It "net.inet.ipcomp.ipcomp_enable	Off"
 +.It "net.inet.ipcomp.ipcomp_enable	On"
  .El
  .Pp
  In addition the following variables are accessible via
 @@ -408,6 +408,8 @@ size may alleviate this problem.
  .Pp
  The
  .Tn IPcomp
 -protocol support is currently broken.
 +protocol may occasionally error because of
 +.Xr zlib 3
 +problems.
  .Pp
  This documentation needs more review.
 
 Modified: stable/8/sys/netipsec/xform_ipcomp.c
 ==============================================================================
 --- stable/8/sys/netipsec/xform_ipcomp.c	Sat Dec  5 19:21:58 2009	(r200148)
 +++ stable/8/sys/netipsec/xform_ipcomp.c	Sat Dec  5 19:25:29 2009	(r200149)
 @@ -68,7 +68,7 @@
  #include <opencrypto/deflate.h>
  #include <opencrypto/xform.h>
  
 -VNET_DEFINE(int, ipcomp_enable) = 0;
 +VNET_DEFINE(int, ipcomp_enable) = 1;
  VNET_DEFINE(struct ipcompstat, ipcompstat);
  
  SYSCTL_DECL(_net_inet_ipcomp);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, eugen@grosbein.pp.ru
Cc:  
Subject: Re: kern/123587: [ipsec] IPCOMP broken in IPSEC (FAST_IPSEC for
 RELENG_6)
Date: Sun, 13 Dec 2009 13:46:22 +0000 (UTC)

 Hi,
 
 I have an untested (apart from compile tested) patch for RELENG_7 at:
 
 http://people.freebsd.org/~bz/20091212-01-mfc7-ipcomp.diff
 
 If you can confirm that it works equally well as the stable/8 one did,
 I'll commit it.
 
 Happy sunday,
 /bz
 
 -- 
 Bjoern A. Zeeb         It will not break if you know what you are doing.

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/123587: commit references a PR
Date: Tue, 29 Dec 2009 23:41:12 +0000 (UTC)

 Author: bz
 Date: Tue Dec 29 23:40:57 2009
 New Revision: 201239
 URL: http://svn.freebsd.org/changeset/base/201239
 
 Log:
   MFC r199899:
   
     Only add the IPcomp header if crypto reported success and we have a lower
     payload size.  Before we had always added the header, no matter if we
     actually send out compressed data or not.
   
     With this, after the opencrypto/deflate changes, IPcomp starts to work
     apart from edge cases.  Leave it disabled by default until those are
     fixed as well.
   
   PR:		kern/123587
 
 Modified:
   stable/7/sys/netipsec/xform_ipcomp.c
 Directory Properties:
   stable/7/sys/   (props changed)
   stable/7/sys/cddl/contrib/opensolaris/   (props changed)
   stable/7/sys/contrib/dev/acpica/   (props changed)
   stable/7/sys/contrib/pf/   (props changed)
 
 Modified: stable/7/sys/netipsec/xform_ipcomp.c
 ==============================================================================
 --- stable/7/sys/netipsec/xform_ipcomp.c	Tue Dec 29 23:35:05 2009	(r201238)
 +++ stable/7/sys/netipsec/xform_ipcomp.c	Tue Dec 29 23:40:57 2009	(r201239)
 @@ -330,13 +330,10 @@ ipcomp_output(
  {
  	struct secasvar *sav;
  	struct comp_algo *ipcompx;
 -	int error, ralen, hlen, maxpacketsize, roff;
 -	u_int8_t prot;
 +	int error, ralen, maxpacketsize;
  	struct cryptodesc *crdc;
  	struct cryptop *crp;
  	struct tdb_crypto *tc;
 -	struct mbuf *mo;
 -	struct ipcomp *ipcomp;
  
  	IPSEC_SPLASSERT_SOFTNET(__func__);
  
 @@ -357,8 +354,6 @@ ipcomp_output(
  	}
  
  	ralen = m->m_pkthdr.len - skip;	/* Raw payload length before comp. */
 -	hlen = IPCOMP_HLENGTH;
 -
  	ipcompstat.ipcomps_output++;
  
  	/* Check for maximum packet size violations. */
 @@ -383,13 +378,13 @@ ipcomp_output(
  		error = EPFNOSUPPORT;
  		goto bad;
  	}
 -	if (skip + hlen + ralen > maxpacketsize) {
 +	if (ralen + skip + IPCOMP_HLENGTH > maxpacketsize) {
  		ipcompstat.ipcomps_toobig++;
  		DPRINTF(("%s: packet in IPCA %s/%08lx got too big "
  		    "(len %u, max len %u)\n", __func__,
  		    ipsec_address(&sav->sah->saidx.dst),
  		    (u_long) ntohl(sav->spi),
 -		    skip + hlen + ralen, maxpacketsize));
 +		    ralen + skip + IPCOMP_HLENGTH, maxpacketsize));
  		error = EMSGSIZE;
  		goto bad;
  	}
 @@ -407,40 +402,7 @@ ipcomp_output(
  		goto bad;
  	}
  
 -	/* Inject IPCOMP header */
 -	mo = m_makespace(m, skip, hlen, &roff);
 -	if (mo == NULL) {
 -		ipcompstat.ipcomps_wrap++;
 -		DPRINTF(("%s: IPCOMP header inject failed for IPCA %s/%08lx\n",
 -		    __func__, ipsec_address(&sav->sah->saidx.dst),
 -		    (u_long) ntohl(sav->spi)));
 -		error = ENOBUFS;
 -		goto bad;
 -	}
 -	ipcomp = (struct ipcomp *)(mtod(mo, caddr_t) + roff);
 -
 -	/* Initialize the IPCOMP header */
 -	/* XXX alignment always correct? */
 -	switch (sav->sah->saidx.dst.sa.sa_family) {
 -#ifdef INET
 -	case AF_INET:
 -		ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p;
 -		break;
 -#endif /* INET */
 -#ifdef INET6
 -	case AF_INET6:
 -		ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt;
 -		break;
 -#endif
 -	}
 -	ipcomp->comp_flags = 0;
 -	ipcomp->comp_cpi = htons((u_int16_t) ntohl(sav->spi));
 -
 -	/* Fix Next Protocol in IPv4/IPv6 header */
 -	prot = IPPROTO_IPCOMP;
 -	m_copyback(m, protoff, sizeof(u_int8_t), (u_char *) &prot);
 -
 -	/* Ok now, we can pass to the crypto processing */
 +	/* Ok now, we can pass to the crypto processing. */
  
  	/* Get crypto descriptors */
  	crp = crypto_getreq(1);
 @@ -453,10 +415,10 @@ ipcomp_output(
  	crdc = crp->crp_desc;
  
  	/* Compression descriptor */
 -	crdc->crd_skip = skip + hlen;
 -	crdc->crd_len = m->m_pkthdr.len - (skip + hlen);
 +	crdc->crd_skip = skip;
 +	crdc->crd_len = ralen;
  	crdc->crd_flags = CRD_F_COMP;
 -	crdc->crd_inject = skip + hlen;
 +	crdc->crd_inject = skip;
  
  	/* Compression operation */
  	crdc->crd_alg = ipcompx->type;
 @@ -476,7 +438,8 @@ ipcomp_output(
  	tc->tc_spi = sav->spi;
  	tc->tc_dst = sav->sah->saidx.dst;
  	tc->tc_proto = sav->sah->saidx.proto;
 -	tc->tc_skip = skip + hlen;
 +	tc->tc_protoff = protoff;
 +	tc->tc_skip = skip;
  
  	/* Crypto operation descriptor */
  	crp->crp_ilen = m->m_pkthdr.len;	/* Total input length */
 @@ -503,13 +466,12 @@ ipcomp_output_cb(struct cryptop *crp)
  	struct ipsecrequest *isr;
  	struct secasvar *sav;
  	struct mbuf *m;
 -	int error, skip, rlen;
 +	int error, skip;
  
  	tc = (struct tdb_crypto *) crp->crp_opaque;
  	IPSEC_ASSERT(tc != NULL, ("null opaque data area!"));
  	m = (struct mbuf *) crp->crp_buf;
  	skip = tc->tc_skip;
 -	rlen = crp->crp_ilen - skip;
  
  	isr = tc->tc_isr;
  	IPSECREQUEST_LOCK(isr);
 @@ -531,8 +493,7 @@ ipcomp_output_cb(struct cryptop *crp)
  		if (crp->crp_etype == EAGAIN) {
  			KEY_FREESAV(&sav);
  			IPSECREQUEST_UNLOCK(isr);
 -			error = crypto_dispatch(crp);
 -			return error;
 +			return crypto_dispatch(crp);
  		}
  		ipcompstat.ipcomps_noxform++;
  		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
 @@ -548,7 +509,46 @@ ipcomp_output_cb(struct cryptop *crp)
  	}
  	ipcompstat.ipcomps_hist[sav->alg_comp]++;
  
 -	if (rlen > crp->crp_olen) {
 +	if (crp->crp_ilen - skip > crp->crp_olen) {
 +		struct mbuf *mo;
 +		struct ipcomp *ipcomp;
 +		int roff;
 +		uint8_t prot;
 +
 +		/* Compression helped, inject IPCOMP header. */
 +		mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff);
 +		if (mo == NULL) {
 +			ipcompstat.ipcomps_wrap++;
 +			DPRINTF(("%s: IPCOMP header inject failed for IPCA %s/%08lx\n",
 +			    __func__, ipsec_address(&sav->sah->saidx.dst),
 +			    (u_long) ntohl(sav->spi)));
 +			error = ENOBUFS;
 +			goto bad;
 +		}
 +		ipcomp = (struct ipcomp *)(mtod(mo, caddr_t) + roff);
 +
 +		/* Initialize the IPCOMP header */
 +		/* XXX alignment always correct? */
 +		switch (sav->sah->saidx.dst.sa.sa_family) {
 +#ifdef INET
 +		case AF_INET:
 +			ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p;
 +			break;
 +#endif /* INET */
 +#ifdef INET6
 +		case AF_INET6:
 +			ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt;
 +			break;
 +#endif
 +		}
 +		ipcomp->comp_flags = 0;
 +		ipcomp->comp_cpi = htons((u_int16_t) ntohl(sav->spi));
 +
 +		/* Fix Next Protocol in IPv4/IPv6 header */
 +		prot = IPPROTO_IPCOMP;
 +		m_copyback(m, tc->tc_protoff, sizeof(u_int8_t),
 +		    (u_char *)&prot);
 +
  		/* Adjust the length in the IP header */
  		switch (sav->sah->saidx.dst.sa.sa_family) {
  #ifdef INET
 @@ -575,6 +575,8 @@ ipcomp_output_cb(struct cryptop *crp)
  	} else {
  		/* compression was useless, we have lost time */
  		/* XXX add statistic */
 +		/* XXX remember state to not compress the next couple
 +		 *     of packets, RFC 3173, 2.2. Non-Expansion Policy */
  	}
  
  	/* Release the crypto descriptor */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/123587: commit references a PR
Date: Wed, 30 Dec 2009 00:03:56 +0000 (UTC)

 Author: bz
 Date: Wed Dec 30 00:03:36 2009
 New Revision: 201244
 URL: http://svn.freebsd.org/changeset/base/201244
 
 Log:
   MFC r199947, 199950:
     Enable IPcomp by default.
   
   PR:	kern/123587
 
 Modified:
   stable/7/share/man/man4/ipsec.4
   stable/7/sys/netipsec/xform_ipcomp.c
 Directory Properties:
   stable/7/share/man/man4/   (props changed)
   stable/7/sys/   (props changed)
   stable/7/sys/cddl/contrib/opensolaris/   (props changed)
   stable/7/sys/contrib/dev/acpica/   (props changed)
   stable/7/sys/contrib/pf/   (props changed)
 
 Modified: stable/7/share/man/man4/ipsec.4
 ==============================================================================
 --- stable/7/share/man/man4/ipsec.4	Tue Dec 29 23:58:32 2009	(r201243)
 +++ stable/7/share/man/man4/ipsec.4	Wed Dec 30 00:03:36 2009	(r201244)
 @@ -29,7 +29,7 @@
  .\"
  .\" $FreeBSD$
  .\"
 -.Dd August 5, 2007
 +.Dd November 29, 2009
  .Dt IPSEC 4
  .Os
  .Sh NAME
 @@ -213,7 +213,7 @@ To selectively enable/disable protocols,
  .It Sy "Name	Default"
  .It "net.inet.esp.esp_enable	On"
  .It "net.inet.ah.ah_enable	On"
 -.It "net.inet.ipcomp.ipcomp_enable	Off"
 +.It "net.inet.ipcomp.ipcomp_enable	On"
  .El
  .Pp
  In addition the following variables are accessible via
 @@ -406,6 +406,8 @@ size may alleviate this problem.
  .Pp
  The
  .Tn IPcomp
 -protocol support is currently broken.
 +protocol may occasionally error because of
 +.Xr zlib 3
 +problems.
  .Pp
  This documentation needs more review.
 
 Modified: stable/7/sys/netipsec/xform_ipcomp.c
 ==============================================================================
 --- stable/7/sys/netipsec/xform_ipcomp.c	Tue Dec 29 23:58:32 2009	(r201243)
 +++ stable/7/sys/netipsec/xform_ipcomp.c	Wed Dec 30 00:03:36 2009	(r201244)
 @@ -66,7 +66,7 @@
  #include <opencrypto/deflate.h>
  #include <opencrypto/xform.h>
  
 -int	ipcomp_enable = 0;
 +int	ipcomp_enable = 1;
  struct	ipcompstat ipcompstat;
  
  SYSCTL_DECL(_net_inet_ipcomp);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/123587: commit references a PR
Date: Mon,  4 Jan 2010 15:01:27 +0000 (UTC)

 Author: bz
 Date: Mon Jan  4 15:01:18 2010
 New Revision: 201505
 URL: http://svn.freebsd.org/changeset/base/201505
 
 Log:
   MFC r199899:
   
     Only add the IPcomp header if crypto reported success and we have a lower
     payload size.  Before we had always added the header, no matter if we
     actually send out compressed data or not.
   
     With this, after the opencrypto/deflate changes, IPcomp starts to work
     apart from edge cases.  Leave it disabled by default until those are
     fixed as well.
   
   PR:		kern/123587
 
 Modified:
   stable/6/sys/netipsec/xform_ipcomp.c
 Directory Properties:
   stable/6/sys/   (props changed)
   stable/6/sys/contrib/pf/   (props changed)
   stable/6/sys/dev/cxgb/   (props changed)
 
 Modified: stable/6/sys/netipsec/xform_ipcomp.c
 ==============================================================================
 --- stable/6/sys/netipsec/xform_ipcomp.c	Mon Jan  4 14:58:41 2010	(r201504)
 +++ stable/6/sys/netipsec/xform_ipcomp.c	Mon Jan  4 15:01:18 2010	(r201505)
 @@ -335,13 +335,10 @@ ipcomp_output(
  {
  	struct secasvar *sav;
  	struct comp_algo *ipcompx;
 -	int error, ralen, hlen, maxpacketsize, roff;
 -	u_int8_t prot;
 +	int error, ralen, maxpacketsize;
  	struct cryptodesc *crdc;
  	struct cryptop *crp;
  	struct tdb_crypto *tc;
 -	struct mbuf *mo;
 -	struct ipcomp *ipcomp;
  
  	IPSEC_SPLASSERT_SOFTNET(__func__);
  
 @@ -362,8 +359,6 @@ ipcomp_output(
  	}
  
  	ralen = m->m_pkthdr.len - skip;	/* Raw payload length before comp. */
 -	hlen = IPCOMP_HLENGTH;
 -
  	ipcompstat.ipcomps_output++;
  
  	/* Check for maximum packet size violations. */
 @@ -388,13 +383,13 @@ ipcomp_output(
  		error = EPFNOSUPPORT;
  		goto bad;
  	}
 -	if (skip + hlen + ralen > maxpacketsize) {
 +	if (ralen + skip + IPCOMP_HLENGTH > maxpacketsize) {
  		ipcompstat.ipcomps_toobig++;
  		DPRINTF(("%s: packet in IPCA %s/%08lx got too big "
  		    "(len %u, max len %u)\n", __func__,
  		    ipsec_address(&sav->sah->saidx.dst),
  		    (u_long) ntohl(sav->spi),
 -		    skip + hlen + ralen, maxpacketsize));
 +		    ralen + skip + IPCOMP_HLENGTH, maxpacketsize));
  		error = EMSGSIZE;
  		goto bad;
  	}
 @@ -412,40 +407,7 @@ ipcomp_output(
  		goto bad;
  	}
  
 -	/* Inject IPCOMP header */
 -	mo = m_makespace(m, skip, hlen, &roff);
 -	if (mo == NULL) {
 -		ipcompstat.ipcomps_wrap++;
 -		DPRINTF(("%s: IPCOMP header inject failed for IPCA %s/%08lx\n",
 -		    __func__, ipsec_address(&sav->sah->saidx.dst),
 -		    (u_long) ntohl(sav->spi)));
 -		error = ENOBUFS;
 -		goto bad;
 -	}
 -	ipcomp = (struct ipcomp *)(mtod(mo, caddr_t) + roff);
 -
 -	/* Initialize the IPCOMP header */
 -	/* XXX alignment always correct? */
 -	switch (sav->sah->saidx.dst.sa.sa_family) {
 -#ifdef INET
 -	case AF_INET:
 -		ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p;
 -		break;
 -#endif /* INET */
 -#ifdef INET6
 -	case AF_INET6:
 -		ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt;
 -		break;
 -#endif
 -	}
 -	ipcomp->comp_flags = 0;
 -	ipcomp->comp_cpi = htons((u_int16_t) ntohl(sav->spi));
 -
 -	/* Fix Next Protocol in IPv4/IPv6 header */
 -	prot = IPPROTO_IPCOMP;
 -	m_copyback(m, protoff, sizeof(u_int8_t), (u_char *) &prot);
 -
 -	/* Ok now, we can pass to the crypto processing */
 +	/* Ok now, we can pass to the crypto processing. */
  
  	/* Get crypto descriptors */
  	crp = crypto_getreq(1);
 @@ -458,10 +420,10 @@ ipcomp_output(
  	crdc = crp->crp_desc;
  
  	/* Compression descriptor */
 -	crdc->crd_skip = skip + hlen;
 -	crdc->crd_len = m->m_pkthdr.len - (skip + hlen);
 +	crdc->crd_skip = skip;
 +	crdc->crd_len = ralen;
  	crdc->crd_flags = CRD_F_COMP;
 -	crdc->crd_inject = skip + hlen;
 +	crdc->crd_inject = skip;
  
  	/* Compression operation */
  	crdc->crd_alg = ipcompx->type;
 @@ -481,7 +443,8 @@ ipcomp_output(
  	tc->tc_spi = sav->spi;
  	tc->tc_dst = sav->sah->saidx.dst;
  	tc->tc_proto = sav->sah->saidx.proto;
 -	tc->tc_skip = skip + hlen;
 +	tc->tc_protoff = protoff;
 +	tc->tc_skip = skip;
  
  	/* Crypto operation descriptor */
  	crp->crp_ilen = m->m_pkthdr.len;	/* Total input length */
 @@ -508,7 +471,7 @@ ipcomp_output_cb(struct cryptop *crp)
  	struct ipsecrequest *isr;
  	struct secasvar *sav;
  	struct mbuf *m;
 -	int error, skip, rlen;
 +	int error, skip;
  
  	NET_LOCK_GIANT();
  
 @@ -516,7 +479,6 @@ ipcomp_output_cb(struct cryptop *crp)
  	IPSEC_ASSERT(tc != NULL, ("null opaque data area!"));
  	m = (struct mbuf *) crp->crp_buf;
  	skip = tc->tc_skip;
 -	rlen = crp->crp_ilen - skip;
  
  	isr = tc->tc_isr;
  	IPSECREQUEST_LOCK(isr);
 @@ -556,7 +518,46 @@ ipcomp_output_cb(struct cryptop *crp)
  	}
  	ipcompstat.ipcomps_hist[sav->alg_comp]++;
  
 -	if (rlen > crp->crp_olen) {
 +	if (crp->crp_ilen - skip > crp->crp_olen) {
 +		struct mbuf *mo;
 +		struct ipcomp *ipcomp;
 +		int roff;
 +		uint8_t prot;
 +
 +		/* Compression helped, inject IPCOMP header. */
 +		mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff);
 +		if (mo == NULL) {
 +			ipcompstat.ipcomps_wrap++;
 +			DPRINTF(("%s: IPCOMP header inject failed for IPCA %s/%08lx\n",
 +			    __func__, ipsec_address(&sav->sah->saidx.dst),
 +			    (u_long) ntohl(sav->spi)));
 +			error = ENOBUFS;
 +			goto bad;
 +		}
 +		ipcomp = (struct ipcomp *)(mtod(mo, caddr_t) + roff);
 +
 +		/* Initialize the IPCOMP header */
 +		/* XXX alignment always correct? */
 +		switch (sav->sah->saidx.dst.sa.sa_family) {
 +#ifdef INET
 +		case AF_INET:
 +			ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p;
 +			break;
 +#endif /* INET */
 +#ifdef INET6
 +		case AF_INET6:
 +			ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt;
 +			break;
 +#endif
 +		}
 +		ipcomp->comp_flags = 0;
 +		ipcomp->comp_cpi = htons((u_int16_t) ntohl(sav->spi));
 +
 +		/* Fix Next Protocol in IPv4/IPv6 header */
 +		prot = IPPROTO_IPCOMP;
 +		m_copyback(m, tc->tc_protoff, sizeof(u_int8_t),
 +		    (u_char *)&prot);
 +
  		/* Adjust the length in the IP header */
  		switch (sav->sah->saidx.dst.sa.sa_family) {
  #ifdef INET
 @@ -583,6 +584,8 @@ ipcomp_output_cb(struct cryptop *crp)
  	} else {
  		/* compression was useless, we have lost time */
  		/* XXX add statistic */
 +		/* XXX remember state to not compress the next couple
 +		 *     of packets, RFC 3173, 2.2. Non-Expansion Policy */
  	}
  
  	/* Release the crypto descriptor */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: bz 
State-Changed-When: Mon Jan 4 15:28:15 UTC 2010 
State-Changed-Why:  
IPcomp has been fixed and activated by default in HEAD, 8-STABLE, 
7-STABLE and 6-STABLE. 

Note that 6-STABLE did not get the extra statistics to avoid 
problems with interactions with KAME-IPsec and possibly breaking 
other things on a "dead" branch. 

In case you'll have trouble just follow-up or let me know. 

A HUGE THANKS for helping to test changes! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123587 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/123587: commit references a PR
Date: Mon,  4 Jan 2010 15:23:43 +0000 (UTC)

 Author: bz
 Date: Mon Jan  4 15:23:32 2010
 New Revision: 201510
 URL: http://svn.freebsd.org/changeset/base/201510
 
 Log:
   MFC r199947, 199950:
     Enable IPcomp by default.
   
     (Note that fast_ipsec.4 was changed, rather than ipsec.4.)
   
   PR:   kern/123587
 
 Modified:
   stable/6/share/man/man4/fast_ipsec.4
   stable/6/sys/netipsec/xform_ipcomp.c
 Directory Properties:
   stable/6/share/man/man4/   (props changed)
   stable/6/sys/   (props changed)
   stable/6/sys/contrib/pf/   (props changed)
   stable/6/sys/dev/cxgb/   (props changed)
 
 Modified: stable/6/share/man/man4/fast_ipsec.4
 ==============================================================================
 --- stable/6/share/man/man4/fast_ipsec.4	Mon Jan  4 15:22:38 2010	(r201509)
 +++ stable/6/share/man/man4/fast_ipsec.4	Mon Jan  4 15:23:32 2010	(r201510)
 @@ -24,7 +24,7 @@
  .\"
  .\" $FreeBSD$
  .\"
 -.Dd January 20, 2003
 +.Dd November 29, 2009
  .Dt FAST_IPSEC 4
  .Os
  .Sh NAME
 @@ -112,7 +112,9 @@ There is presently no support for IPv6.
  .Pp
  The
  .Tn IPcomp
 -protocol support does not work.
 +protocol may occasionally error because of
 +.Xr zlib 3
 +problems.
  .Pp
  Certain legacy authentication algorithms are not supported because of
  issues with the
 
 Modified: stable/6/sys/netipsec/xform_ipcomp.c
 ==============================================================================
 --- stable/6/sys/netipsec/xform_ipcomp.c	Mon Jan  4 15:22:38 2010	(r201509)
 +++ stable/6/sys/netipsec/xform_ipcomp.c	Mon Jan  4 15:23:32 2010	(r201510)
 @@ -66,7 +66,7 @@
  #include <opencrypto/deflate.h>
  #include <opencrypto/xform.h>
  
 -int	ipcomp_enable = 0;
 +int	ipcomp_enable = 1;
  struct	ipcompstat ipcompstat;
  
  SYSCTL_DECL(_net_inet_ipcomp);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
