From durian@fever.boogie.com  Mon Feb 10 10:47:08 2003
Return-Path: <durian@fever.boogie.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C6E2337B40E
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 10 Feb 2003 10:47:08 -0800 (PST)
Received: from fever.boogie.com (cpe-66-87-52-132.co.sprintbbd.net [66.87.52.132])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E9A8343F85
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 10 Feb 2003 10:47:07 -0800 (PST)
	(envelope-from durian@fever.boogie.com)
Received: from man.boogie.com (man [192.168.1.3])
	by fever.boogie.com (8.12.6/8.12.6) with ESMTP id h1AIl7Qh000791
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 10 Feb 2003 11:47:07 -0700 (MST)
	(envelope-from durian@fever.boogie.com)
Received: from man.boogie.com (localhost [127.0.0.1])
	by man.boogie.com (8.12.6/8.12.6) with ESMTP id h1AIl7cj076416
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 10 Feb 2003 11:47:07 -0700 (MST)
	(envelope-from durian@man.boogie.com)
Received: (from durian@localhost)
	by man.boogie.com (8.12.6/8.12.6/Submit) id h1AIl673076415;
	Mon, 10 Feb 2003 11:47:06 -0700 (MST)
Message-Id: <200302101847.h1AIl673076415@man.boogie.com>
Date: Mon, 10 Feb 2003 11:47:06 -0700 (MST)
From: Mike Durian <durian@boogie.com>
Reply-To: Mike Durian <durian@boogie.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: ip_input.c change 1.214 results in double processing
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         48159
>Category:       kern
>Synopsis:       ip_input.c change 1.214 results in double processing
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    sam
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 10 10:50:02 PST 2003
>Closed-Date:    Sun Feb 23 18:51:03 PST 2003
>Last-Modified:  Wed Feb 26 22:00:19 PST 2003
>Originator:     Mike Durian
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD man.boogie.com 5.0-CURRENT FreeBSD 5.0-CURRENT #11: Mon Feb 3 15:50:00 MST 2003 root@man.boogie.com:/disk2/obj/disk2/src/sys/BOOGIE i386


	
>Description:
	Despite the following comment from change 1.214 to ip_input.c:

		Get rid of checking for ip sec history. It is true
		that packets are not supposed to be checked by the
		firewall rules twice. However, because the various
		ipsec handlers never call ip_input(), this never
		happens anyway.

	IPsec packets do get processed twice - once as ESP packets and
	once in their decrypted form.  If I back out change 1.214,
	the packets are only processed once as ipfilter documents
	(see http://coombs.anu.edu.au/~avalon/ipfil-flow.html).

>How-To-Repeat:
	Set up a standard IPsec tunnel (don't use additional gif tunnels).
	Let's call the far side a.a.a.0/24.
	Create rules to pass esp packets, but block a.a.a.0/24 packets.
	If change 1.214 is in place, you will not receive traffic from
	a.a.a.0/24 as the decypted packets will be blocked by the block
	rule.  If change 1.214 is removed, you will receive the packets
	as the ESP rule passes them and they are not processed again
	in decrypted form.
>Fix:

	Back out change ip_input.c change 1.214.


>Release-Note:
>Audit-Trail:

From: Andriy Gapon <agapon@cv-nj.com>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: kern/48159: ip_input.c change 1.214 results in double processing
Date: Thu, 13 Feb 2003 16:05:26 -0500 (EST)

 -stable (obviously) has the same problem, while 4.7-release doesn't.
 This problem is quite painful, since there is no way to distinguish
 packets coming out of ipsec tunnel from the regular ip packets and I have
 to to keep a gap in my firewall to allow the former, which can be abused by the
 latter.
 
 -- 
 Andriy Gapon
Responsible-Changed-From-To: freebsd-bugs->sam 
Responsible-Changed-By: sam 
Responsible-Changed-When: Thu Feb 13 15:04:53 PST 2003 
Responsible-Changed-Why:  
I ok'd this change; I will resolve this issue. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=48159 
State-Changed-From-To: open->closed 
State-Changed-By: sam 
State-Changed-When: Sun Feb 23 18:50:09 PST 2003 
State-Changed-Why:  
added IPSEC_FILTERGIF config option to control this behaviour with 
a default that reverts things to what they were before 

http://www.freebsd.org/cgi/query-pr.cgi?pr=48159 

From: "Bill O'Connell" <oconnell@ns1.springwoodsys.com>
To: freebsd-gnats-submit@FreeBSD.org, durian@boogie.com
Cc: sam@errno.com
Subject: Re: kern/48159: ip_input.c change 1.214 results in double processing
Date: Thu, 27 Feb 2003 00:52:04 -0500 (EST)

 I don't think the IPSEC_FILTERGIF fix fully addresses PR kern/48159.
 The "How-to-Repeat" section of the PR specifically identifies the
 problem as *not* associated with GIF tunnels, but rather with plain
 old IPSec tunnels. I don't use GIFs with IPsec tunnels, so this fix
 doesn't help me. (Besides, doesn't using GIFs for a straight IPv4
 IPsec tunnel result in unnecessary processing and packet overhead?)
 What would help is a kernel config option that covers *all* IPsec
 packets, not just those that come out of a GIF tunnel.
 
 
 Bill O'Connell
>Unformatted:
