From eugen@grosbein.pp.ru  Sun May 18 13:37:51 2008
Return-Path: <eugen@grosbein.pp.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 22A1C1065674
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 18 May 2008 13:37:51 +0000 (UTC)
	(envelope-from eugen@grosbein.pp.ru)
Received: from grosbein.pp.ru (grgw.svzserv.kemerovo.su [213.184.64.166])
	by mx1.freebsd.org (Postfix) with ESMTP id 2E5EF8FC1B
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 18 May 2008 13:37:48 +0000 (UTC)
	(envelope-from eugen@grosbein.pp.ru)
Received: from grosbein.pp.ru (localhost [127.0.0.1])
	by grosbein.pp.ru (8.14.2/8.14.2) with ESMTP id m4IDbZRQ090663
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 18 May 2008 21:37:36 +0800 (KRAST)
	(envelope-from eugen@grosbein.pp.ru)
Received: (from eugen@localhost)
	by grosbein.pp.ru (8.14.2/8.14.2/Submit) id m4IDbZ8A090662;
	Sun, 18 May 2008 21:37:35 +0800 (KRAST)
	(envelope-from eugen)
Message-Id: <200805181337.m4IDbZ8A090662@grosbein.pp.ru>
Date: Sun, 18 May 2008 21:37:35 +0800 (KRAST)
From: Eugene Grosbein <eugen@grosbein.pp.ru>
Reply-To: Eugene Grosbein <eugen@grosbein.pp.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [ipsec] [patch] KAME IPSEC does not pass processed packets to pfil hooks
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         123793
>Category:       kern
>Synopsis:       [ipsec] [patch] KAME IPSEC does not pass processed packets to pfil hooks
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bz
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 18 13:40:02 UTC 2008
>Closed-Date:    Mon Jan 04 15:32:30 UTC 2010
>Last-Modified:  Mon Jan 04 15:32:30 UTC 2010
>Originator:     Eugene Grosbein
>Release:        FreeBSD 6.3-STABLE i386
>Organization:
Svyaz-Service JSC
>Environment:
System: RELENG_6

>Description:
	(This issue applies to RELENG_6 only, as newer versions
	do not contain KAME IPSEC implementation anymore.)

	When AH, ESP or IPCOMP protocols finish packets processing,
	they pass them directly to pr_input() for appropriate
	encapsulated protocol. Thus, it is not possible to filter
	incoming packets processed with this IPSEC implementation
	after they has been decrypted.

	Let's consider simple schema:

L-R+G-Internet

	Here R is a router (FreeBSD 6.3), L is a host in its LAN
	using private IP-addresses (RFC 1918).
	Plus sign designates provider's radio-ethernet segment built with
	L2 radio-bridges, G is provider's gateway to the Internet.
	R and G use public IP-addresses within radio-ethernet,
	so R does NAT for L.

	There is also another host H in the same radio-ethernet segment,
	in the same IP-network as R and G, it has public IP-address.
	We need to protect traffic between R and H so run IPSEC on R and H.
	It works nice for traffic running between R and G.

	Now let's see what happens when L connects to H.
	Outgoing packet from L goes through NAT on R,
	translated packet then goes through IPSEC and finally reaches H.
	Now H sends its encrypted reply that reaches R that decrypts it.
	But IPSEC does not pass decrypted packed downto ip_input(),
	it passes it to pr_input() directly so H's reply gets delivered
	locally instead of being NAT'ed and forwarded.
	Finally, it is dropped.

	Kernel option IPSEC_FILTERGIF should help in this case
	but it does not.

	Newer FAST_IPSEC implementation does not have this problem,
	it passes decrypted answer to ip_input() via netisr,
	so it reaches pfil hooks and may be processed with NAT
	and then routed successfully.

	However, switching to FAST_IPSEC is not an option when
	we require working IPCOMP support. See this PR for details:
	http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/123587

	So, the solution is to make kernel option IPSEC_FILTERGIF
	to cover this case and pass decrypted incoming packet
	again to ip_input() via netisr just like FAST_IPSEC does,
	thus bringing old implementation's behavour more in line
	with new one.

>How-To-Repeat:
	See description
>Fix:

	The patch is pretty small and simple:

	ftp://www.kuzbass.ru/pub/freebsd/patches/ipsec-filter.diff.gz
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->bz 
Responsible-Changed-By: vwe 
Responsible-Changed-When: Sun May 18 14:59:11 UTC 2008 
Responsible-Changed-Why:  

I think this is something for Bjoern. Over to maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123793 

From: Eugene Grosbein <eugen@grosbein.pp.ru>
To: bug-followup@freebsd.org
Cc: bz@freebsd.org
Subject: Re: kern/123793: [ipsec] [patch] KAME IPSEC does not pass processed packets to pfil hooks
Date: Sat, 24 May 2008 21:45:40 +0800

 Hi!
 
 This change cannot pass normal testing in HEAD because
 HEAD does not have KAME IPSEC. So it needs to be committed directly
 to RELENG_6 that is dangerous. Therefore, I modified
 the patch to be completely POLA-compatible: it introduces
 new sysctl net.inet.ipsec.ip4_one_pass with default value 1
 that corresponds to current behavour. One have to change it to 0
 to make decrypted packets be passed to packet filter hooks.
 
 So, committing the patch is pretty safe.
 For kernels that have no option IPSEC_FILTERGIF, it is "no-op" change.
 
 Eugene Grosbein
State-Changed-From-To: open->feedback 
State-Changed-By: bz 
State-Changed-When: Tue Nov 17 21:21:19 UTC 2009 
State-Changed-Why:  
Submitter has been asked if this is still relevant for him. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123793 

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, eugen@grosbein.pp.ru
Cc:  
Subject: Re: kern/123793: [ipsec] [patch] KAME IPSEC does not pass processed
 packets to pfil hooks
Date: Tue, 17 Nov 2009 21:21:02 +0000 (UTC)

 Hi,
 
 is this still a problem for you?
 
 I'd rather not touch 6-STABLE for a change like this anymore.
 
 -- 
 Bjoern A. Zeeb         It will not break if you know what you are doing.

From: Eugene Grosbein <egrosbein@rdtc.ru>
To: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/123793: [ipsec] [patch] KAME IPSEC does not pass processed
 packets to pfil hooks
Date: Wed, 18 Nov 2009 09:51:39 +0700

 Bjoern A. Zeeb wrote:
 > Hi,
 > 
 > is this still a problem for you?
 > 
 > I'd rather not touch 6-STABLE for a change like this anymore.
 > 
 
 Well, until IPCOMP fixed in recent versions I seem to be "sticked" to KAME IPSEC
 and to 6-STABLE. I use the patch all the time since May 2008 and have no troubles.
 
 Again, it is "no-op" for kernels without option IPSEC_FILTERGIF.
 And it is "no-op" for kernels with this option until administrator changes
 value of new sysctl net.inet.ipsec.ip4_one_pass from default value 1 to 0.
 
 Eugene Grosbein

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: Eugene Grosbein <egrosbein@rdtc.ru>
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/123793: [ipsec] [patch] KAME IPSEC does not pass processed
 packets to pfil hooks
Date: Fri, 20 Nov 2009 16:13:15 +0000 (UTC)

 On Wed, 18 Nov 2009, Eugene Grosbein wrote:
 
 > Bjoern A. Zeeb wrote:
 >> Hi,
 >>
 >> is this still a problem for you?
 >>
 >> I'd rather not touch 6-STABLE for a change like this anymore.
 >>
 >
 > Well, until IPCOMP fixed in recent versions I seem to be "sticked" to KAME IPSEC
 > and to 6-STABLE.
 
 So if that would be fixed you you agree to closing this w/o a commit
 to RELENG_6?
 
 And would you be able/willing to test patches for any of 8/9 most
 likely applying to 7 and perhaps 6 as well so that we could as well
 close kern/123587 as well?
 
 /bz
 
 -- 
 Bjoern A. Zeeb         It will not break if you know what you are doing.

From: Eugene Grosbein <eugen@grosbein.pp.ru>
To: "Bjoern A. Zeeb" <bz@freebsd.org>
Cc: bug-followup@freebsd.org
Subject: Re: kern/123793: [ipsec] [patch] KAME IPSEC does not pass processed
 packets to pfil hooks
Date: Sat, 21 Nov 2009 16:18:15 +0700

 Bjoern A. Zeeb wrote:
 
 >>> Hi,
 >>>
 >>> is this still a problem for you?
 >>>
 >>> I'd rather not touch 6-STABLE for a change like this anymore.
 >>>
 >> Well, until IPCOMP fixed in recent versions I seem to be "sticked" to KAME IPSEC
 >> and to 6-STABLE.
 > 
 > So if that would be fixed you you agree to closing this w/o a commit
 > to RELENG_6?
 
 Yes.
 
 > 
 > And would you be able/willing to test patches for any of 8/9 most
 > likely applying to 7 and perhaps 6 as well so that we could as well
 > close kern/123587 as well?
 
 Yes, I'd love to :-)
 
State-Changed-From-To: feedback->closed 
State-Changed-By: bz 
State-Changed-When: Mon Jan 4 15:31:23 UTC 2010 
State-Changed-Why:  
As previously discussed this will be closed when IPcomp was fixed, 
which has happened now (see PR 123587). 

Thanks a lot! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123793 
>Unformatted:
