From ari@coffee.syncrontech.com  Sun Jun 22 23:26:16 2003
Return-Path: <ari@coffee.syncrontech.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8D8D737B405
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 22 Jun 2003 23:26:16 -0700 (PDT)
Received: from coffee.syncrontech.com (coffee.syncrontech.com [62.71.8.37])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4F2FD43F3F
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 22 Jun 2003 23:26:15 -0700 (PDT)
	(envelope-from ari@coffee.syncrontech.com)
Received: from coffee.syncrontech.com (localhost [127.0.0.1])
	by coffee.syncrontech.com (8.12.9/8.12.9) with ESMTP id h5N6QD6H015586
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 23 Jun 2003 09:26:13 +0300 (EEST)
	(envelope-from ari@coffee.syncrontech.com)
Received: (from ari@localhost)
	by coffee.syncrontech.com (8.12.9/8.12.9/Submit) id h5N6QCxG015585;
	Mon, 23 Jun 2003 09:26:12 +0300 (EEST)
Message-Id: <200306230626.h5N6QCxG015585@coffee.syncrontech.com>
Date: Mon, 23 Jun 2003 09:26:12 +0300 (EEST)
From: Ari Suutari <ari.suutari@syncrontech.com>
Reply-To: Ari Suutari <ari.suutari@syncrontech.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: patches for ipfw2 to support ipsec packet filtering
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         53624
>Category:       kern
>Synopsis:       patches for ipfw2 to support ipsec packet filtering
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jun 22 23:30:03 PDT 2003
>Closed-Date:    Sun Jul 06 18:13:28 PDT 2003
>Last-Modified:  Sun Jul 06 18:13:28 PDT 2003
>Originator:     Ari Suutari
>Release:        FreeBSD 5.1-RELEASE i386
>Organization:
Syncron Tech Oy
>Environment:
System: FreeBSD coffee.syncrontech.com 5.1-RELEASE FreeBSD 5.1-RELEASE #6: Thu Jun 19 12:57:30 EEST 2003 root@coffee.syncrontech.com:/usr/src/sys/i386/compile/COFFEE i386


>Description:

	There is no support in FreeBSD ipfw2 to build rules
	that match packets if they are coming via IPsec connection.
	This is be necessary for building secure firewalls in
	IPsec environment, however.
	
>How-To-Repeat:

	N/A
>Fix:

	Apply following patches, compile ipfw2 again, compile
	kernel with

	options  IPFIREWALL
	options IPSEC
	options IPSEC_ESP
	options IPSEC_FILTERGIF

	and you have a new keyword 'ipsec'.
	With the new flag it is possible easily to
	stop spoofing from RFC1918 networks, but
	allow traffic from those nets if it is coming
	from IPsec:

ipfw add deny all from 192.168.0.0/16 to any via ${oif} not ipsec
ipfw add pass tcp from 192.168.x.y/24 to a.b.c.d 23 ipsec setup

	This example drops spoofed packets, but allows
	telnet connection *if* the packet comes via ipsec.


	Patches for /sys/netinet and /usr/sbin/ipfw:


Index: ip_fw.h
===================================================================
RCS file: /net/pommac/scratch/freebsd-cvs/src/sys/netinet/ip_fw.h,v
retrieving revision 1.76.2.1
diff -u -r1.76.2.1 ip_fw.h
--- ip_fw.h	4 Jun 2003 02:19:36 -0000	1.76.2.1
+++ ip_fw.h	19 Jun 2003 08:17:44 -0000
@@ -119,6 +119,7 @@
 	O_TEE,			/* arg1=port number		*/
 	O_FORWARD_IP,		/* fwd sockaddr			*/
 	O_FORWARD_MAC,		/* fwd mac			*/
+	O_IPSEC,		/* has ipsec history		*/
 	O_LAST_OPCODE		/* not an opcode!		*/
 };
 
Index: ip_fw2.c
===================================================================
RCS file: /net/pommac/scratch/freebsd-cvs/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.28.2.1
diff -u -r1.28.2.1 ip_fw2.c
--- ip_fw2.c	4 Jun 2003 02:19:36 -0000	1.28.2.1
+++ ip_fw2.c	19 Jun 2003 18:24:40 -0000
@@ -1787,6 +1787,14 @@
 				     (TH_RST | TH_ACK | TH_SYN)) != TH_SYN);
 				break;
 
+                        case O_IPSEC:
+#ifdef IPSEC
+                                match = (ipsec_gethist(m, NULL) != NULL);
+#else
+				match = 0;
+#endif
+      				break;
+
 			case O_LOG:
 				if (fw_verbose)
 					ipfw_log(f, hlen, args->eh, m, oif);
@@ -2378,6 +2386,7 @@
 		case O_TCPFLAGS:
 		case O_TCPOPTS:
 		case O_ESTAB:
+		case O_IPSEC:
 		case O_VERREVPATH:
 			if (cmdlen != F_INSN_SIZE(ipfw_insn))
 				goto bad_size;


--------

Index: ipfw.8
===================================================================
RCS file: /net/pommac/scratch/freebsd-cvs/src/sbin/ipfw/ipfw.8,v
retrieving revision 1.122
diff -u -r1.122 ipfw.8
--- ipfw.8	15 Mar 2003 01:13:00 -0000	1.122
+++ ipfw.8	19 Jun 2003 10:21:30 -0000
@@ -835,6 +835,8 @@
 specified as argument.
 .It Cm established
 Matches TCP packets that have the RST or ACK bits set.
+.It Cm ipsec
+Matches IP packets that have originated from IPsec stack.
 .It Cm frag
 Matches packets that are fragments and not the first
 fragment of an IP datagram. Note that these packets will not have
Index: ipfw2.c
===================================================================
RCS file: /net/pommac/scratch/freebsd-cvs/src/sbin/ipfw/ipfw2.c,v
retrieving revision 1.23.2.1
diff -u -r1.23.2.1 ipfw2.c
--- ipfw2.c	4 Jun 2003 02:19:36 -0000	1.23.2.1
+++ ipfw2.c	19 Jun 2003 08:25:33 -0000
@@ -242,6 +242,7 @@
 	TOK_DROPTAIL,
 	TOK_PROTO,
 	TOK_WEIGHT,
+	TOK_IPSEC,
 };
 
 struct _s_x dummynet_params[] = {
@@ -335,6 +336,7 @@
 	{ "mac",		TOK_MAC },
 	{ "mac-type",		TOK_MACTYPE },
 	{ "verrevpath",		TOK_VERREVPATH },
+	{ "ipsec",		TOK_IPSEC },
 
 	{ "not",		TOK_NOT },		/* pseudo option */
 	{ "!", /* escape ? */	TOK_NOT },		/* pseudo option */
@@ -1131,6 +1133,10 @@
 				printf(" established");
 				break;
 
+			case O_IPSEC:
+				printf(" ipsec");
+				break;
+
 			case O_TCPFLAGS:
 				print_flags("tcpflags", cmd, f_tcpflags);
 				break;
@@ -3050,6 +3056,10 @@
 
 		case TOK_ESTAB:
 			fill_cmd(cmd, O_ESTAB, 0, 0);
+			break;
+
+		case TOK_IPSEC:
+			fill_cmd(cmd, O_IPSEC, 0, 0);
 			break;
 
 		case TOK_SETUP:
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: ceri 
Responsible-Changed-When: Mon Jun 23 11:45:08 PDT 2003 
Responsible-Changed-Why:  
Reassign misfiled PR. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=53624 
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: ceri 
Responsible-Changed-When: Mon Jun 23 11:46:02 PDT 2003 
Responsible-Changed-Why:  
Over to the ipfw maintainers. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=53624 

From: Ari Suutari <ari.suutari@syncrontech.com>
To: freebsd-gnats-submit@FreeBSD.org, ari.suutari@syncrontech.com
Cc:  
Subject: Re: kern/53624: patches for ipfw2 to support ipsec packet filtering
Date: Tue, 1 Jul 2003 08:33:41 +0300

 Here is a new patch for /sys/netinet/ip_fw2.c, which
 adds support for FAST_IPSEC also (untested, but I believe that
 it should work due to change being simple). 
 
 
 Index: ip_fw.h
 ===================================================================
 RCS file: /net/pommac/scratch/freebsd-cvs/src/sys/netinet/ip_fw.h,v
 retrieving revision 1.76.2.1
 diff -u -r1.76.2.1 ip_fw.h
 --- ip_fw.h	4 Jun 2003 02:19:36 -0000	1.76.2.1
 +++ ip_fw.h	19 Jun 2003 08:17:44 -0000
 @@ -119,6 +119,7 @@
  	O_TEE,			/* arg1=port number		*/
  	O_FORWARD_IP,		/* fwd sockaddr			*/
  	O_FORWARD_MAC,		/* fwd mac			*/
 +	O_IPSEC,		/* has ipsec history		*/
  	O_LAST_OPCODE		/* not an opcode!		*/
  };
  
 Index: ip_fw2.c
 ===================================================================
 RCS file: /net/pommac/scratch/freebsd-cvs/src/sys/netinet/ip_fw2.c,v
 retrieving revision 1.28.2.1
 diff -u -r1.28.2.1 ip_fw2.c
 --- ip_fw2.c	4 Jun 2003 02:19:36 -0000	1.28.2.1
 +++ ip_fw2.c	1 Jul 2003 05:28:44 -0000
 @@ -73,6 +73,10 @@
  #include <netinet/udp.h>
  #include <netinet/udp_var.h>
  
 +#ifdef IPSEC
 +#include <netinet6/ipsec.h>
 +#endif
 +
  #include <netinet/if_ether.h> /* XXX for ETHERTYPE_IP */
  
  #include <machine/in_cksum.h>	/* XXX for in_cksum */
 @@ -1787,6 +1791,18 @@
  				     (TH_RST | TH_ACK | TH_SYN)) != TH_SYN);
  				break;
  
 +                        case O_IPSEC:
 +#ifdef FAST_IPSEC
 +				match = (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL);
 +#else
 +#ifdef IPSEC
 +                                match = (ipsec_gethist(m, NULL) != NULL);
 +#else
 +				match = 0;
 +#endif /* IPSEC */
 +#endif /* FAST_IPSEC */
 +      				break;
 +
  			case O_LOG:
  				if (fw_verbose)
  					ipfw_log(f, hlen, args->eh, m, oif);
 @@ -2378,6 +2394,7 @@
  		case O_TCPFLAGS:
  		case O_TCPOPTS:
  		case O_ESTAB:
 +		case O_IPSEC:
  		case O_VERREVPATH:
  			if (cmdlen != F_INSN_SIZE(ipfw_insn))
  				goto bad_size;
 
State-Changed-From-To: open->closed 
State-Changed-By: luigi 
State-Changed-When: Sun Jul 6 18:13:14 PDT 2003 
State-Changed-Why:  
committed, thanks 


http://www.freebsd.org/cgi/query-pr.cgi?pr=53624 
>Unformatted:
