From nobody@FreeBSD.org  Mon Jun  6 19:34:10 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5B7BB106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  6 Jun 2011 19:34:10 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 4B7D48FC1F
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  6 Jun 2011 19:34:10 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p56JY9iW028316
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 6 Jun 2011 19:34:09 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p56JY99R028315;
	Mon, 6 Jun 2011 19:34:09 GMT
	(envelope-from nobody)
Message-Id: <201106061934.p56JY99R028315@red.freebsd.org>
Date: Mon, 6 Jun 2011 19:34:09 GMT
From: Manuel Kasper <mk@neon1.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [patch] IPv6 in IPsec packets always get passed to pfil
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         157670
>Category:       kern
>Synopsis:       [patch] IPv6 in IPsec packets always get passed to pfil
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bz
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jun 06 19:40:08 UTC 2011
>Closed-Date:    Sun May 04 04:10:06 UTC 2014
>Last-Modified:  Sun May 04 04:10:06 UTC 2014
>Originator:     Manuel Kasper
>Release:        8.2-RELEASE
>Organization:
>Environment:
>Description:
For IPv4, one can use the net.inet.ipsec.filtertunnel sysctl to control whether decapsulated IPsec packets are sent through pfil. This defaults to 0 (unless the deprecated IPSEC_FILTERTUNNEL option is set in the kernel config) and works as intended.

For IPv6, there is a similar sysctl net.ip6.ipsec6.filtertunnel, but it doesn't seem to do anything (i.e. packets get passed to the filter even if it's set to 0).

This is especially annoying when using if_enc, as one will then see decapsulated IPv6 packets twice (once on enc0, and again on the physical interface that the corresponding IPsec packet came in on), when usually one only wants to see them on enc0.

Closer investigation of the kernel source code shows that there is a function ip6_ipsec_filtertunnel() to check whether pfil should be bypassed for a packet, but unlike its v4 counterpart, it doesn't seem to be called anywhere in the ip6_input path.
>How-To-Repeat:
Set up an IPv6 IPsec connection between two FreeBSD 8.2 hosts. Load your favourite pfil-based firewall on one host and add rules to match decapsulated packets on enc0 and the physical interface. Send IPsec traffic from the other host. Observe that the firewall sees each packet twice even though net.ip6.ipsec6.filtertunnel=0.
>Fix:
A simple patch that fixes the issue for me is attached.

Patch attached with submission follows:

--- sys/netinet6/ip6_input.c.orig	2010-12-21 18:09:25.000000000 +0100
+++ sys/netinet6/ip6_input.c	2011-05-18 18:28:36.000000000 +0200
@@ -480,6 +480,14 @@
 	}
 #endif
 
+#ifdef IPSEC
+	/*
+	 * Bypass packet filtering for packets from a tunnel (gif).
+	 */
+	if (ip6_ipsec_filtertunnel(m))
+		goto passin;
+#endif /* IPSEC */
+
 	/*
 	 * Run through list of hooks for input packets.
 	 *


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Mon Jun 6 20:13:22 UTC 2011 
Responsible-Changed-Why:  
Tha functional part looks right at first glance the comment, 
probably copied from IPv4, is utterly wrong as are some others 
related to filtertunnel -- should get rid of all that gif comments 
the same time. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=157670 
State-Changed-From-To: open->patched 
State-Changed-By: bz 
State-Changed-When: Wed Jun 8 10:59:51 UTC 2011 
State-Changed-Why:  
Change committed to HEAD, will MFC two weeks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=157670 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/157670: commit references a PR
Date: Wed,  8 Jun 2011 10:59:45 +0000 (UTC)

 Author: bz
 Date: Wed Jun  8 10:59:36 2011
 New Revision: 222856
 URL: http://svn.freebsd.org/changeset/base/222856
 
 Log:
   Add the missing call to ip6_ipsec_filtertunnel() to be able to control
   whether decapsulated IPsec packets will be passed to pfil again depending
   on the setting of the net.ip6.ipsec6.filtertunnel sysctl.
   
   PR:		kern/157670
   Submitted by:	Manuel Kasper (mk neon1.net)
   MFC after:	2 weeks
 
 Modified:
   head/sys/netinet6/ip6_input.c
 
 Modified: head/sys/netinet6/ip6_input.c
 ==============================================================================
 --- head/sys/netinet6/ip6_input.c	Wed Jun  8 08:22:54 2011	(r222855)
 +++ head/sys/netinet6/ip6_input.c	Wed Jun  8 10:59:36 2011	(r222856)
 @@ -504,6 +504,13 @@ ip6_input(struct mbuf *m)
  		goto bad;
  	}
  #endif
 +#ifdef IPSEC
 +	/*
 +	 * Bypass packet filtering for packets previously handled by IPsec.
 +	 */
 +	if (ip6_ipsec_filtertunnel(m))
 +		goto passin;
 +#endif /* IPSEC */
  
  	/*
  	 * Run through list of hooks for input packets.
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: Manuel Kasper <mk@neon1.net>
To: bug-followup@FreeBSD.org
Cc: bz@FreeBSD.org
Subject: Re: kern/157670: [patch] IPv6 in IPsec packets always get passed to pfil
Date: Wed, 8 Jun 2011 16:00:12 +0200

 > Tha functional part looks right at first glance the comment,=20
 > probably copied from IPv4, is utterly wrong as are some others=20
 > related to filtertunnel -- should get rid of all that gif comments=20
 > the same time.
 
 Excellent, thanks! I've also been wondering what IPsec had to do with =
 gif, but simply copy/pasted from ip_input.
 
 - Manuel=
State-Changed-From-To: patched->closed 
State-Changed-By: linimon 
State-Changed-When: Sun May 4 04:09:33 UTC 2014 
State-Changed-Why:  
committed back in 2011. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=157670 
>Unformatted:
