From bz@zabbadoz.net  Mon Nov  3 14:10:12 2003
Return-Path: <bz@zabbadoz.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6134D16A4CE; Mon,  3 Nov 2003 14:10:12 -0800 (PST)
Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 2FD7443FDF; Mon,  3 Nov 2003 14:10:10 -0800 (PST)
	(envelope-from bz@zabbadoz.net)
Received: from localhost (localhost [127.0.0.1])
	by transport.cksoft.de (Postfix) with ESMTP
	id 1CDA71FF907; Mon,  3 Nov 2003 23:10:08 +0100 (CET)
Received: by transport.cksoft.de (Postfix, from userid 66)
	id 8B9C41FF905; Mon,  3 Nov 2003 23:10:06 +0100 (CET)
Received: by mail.int.zabbadoz.net (Postfix, from userid 1060)
	id DBCF7153F6; Mon,  3 Nov 2003 22:08:24 +0000 (UTC)
Message-Id: <20031103220824.DBCF7153F6@mail.int.zabbadoz.net>
Date: Mon,  3 Nov 2003 22:08:24 +0000 (UTC)
From: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
Reply-To: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc: bzeeb+freebsd@zabbadoz.net, ari.suutari@syncrontech.com,
	ipfw@FreeBSD.org, security@freebsd.org
Subject: [fix] ipfw2 ipsec history option not working
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         58899
>Category:       kern
>Synopsis:       [fix] ipfw2 ipsec history option not working
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    luigi
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov 03 14:20:15 PST 2003
>Closed-Date:    Sat Dec 20 15:17:46 PST 2003
>Last-Modified:  Sat Dec 20 15:17:46 PST 2003
>Originator:     Bjoern A. Zeeb
>Release:        5.1-CURRENT i386
>Organization:
Zabbadoz.NeT
>Environment:
FreeBSD noc.int.zabbadoz.net 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Sat Sep 20 22:19:04 UTC 2003     bz@noc.int.zabbadoz.net:/export/src/src/obj/export/src/src/HEAD/compile-20030920-2028/sys/ZAB2-2003092001  i386

>Description:

	The patch applied at 4 Jul 2003 [1]
	from http://www.freebsd.org/cgi/query-pr.cgi?pr=53624
	will not work in current and might never have worked
	the way it should and is documented.

	The problem is that #ifdef IPSEC in sys/netinet/ip_fw2.c
	will never match because opt_ipsec.h is never included.

	Further more because only the check in the verify
	path (ipfw_chk) is #ifdef'ed and not the path where
	the rules get checked before insertion (check_ipfw_struct)
	   __there will be no complaints when
	     adding a rule with ipsec option__ !

	[1] http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_fw2.c.diff?r1=1.33&r2=1.34

>How-To-Repeat:

	add a rule that should match all traffic with
	ipsec history with log option at appropriate place
	in your ruleset; s.th. like:

	ipfw add ... log ip from any to any ipsec

	there will be no match logged;


	alternatively you may simply grep for ipsec_gethist
	in ip_fw2.o; this also will not find a match though it
	should be in there.


>Fix:
	this patch has been verified to make O_IPSEC work
	for me with IPSEC; it has not been verified to work
	with FAST_IPSEC.

	additionaly one may also add s.th. like
	#if defined(IPSEC) || defined(FAST_IPSEC)
	for O_IPSEC in check_ipfw_struct().


--- sys/netinet/ip_fw2.c.orig	Mon Nov  3 18:24:57 2003
+++ sys/netinet/ip_fw2.c	Mon Nov  3 20:47:58 2003
@@ -37,6 +37,7 @@
 #include "opt_ipdn.h"
 #include "opt_ipdivert.h"
 #include "opt_inet.h"
+#include "opt_ipsec.h"
 #ifndef INET
 #error IPFIREWALL requires INET.
 #endif /* INET */

>Release-Note:
>Audit-Trail:

From: Mark Linimon <linimon@lonesome.com>
To: freebsd-gnats-submit@FreeBSD.org, bzeeb+freebsd@zabbadoz.net
Cc:  
Subject: Re: kern/58899: [fix] ipfw2 ipsec history option not working
Date: Tue, 11 Nov 2003 06:53:52 +0000

 Adding to audit log from misfiled PR 58910:
 
 Ari Suutari <ari.suutari@syncrontech.com> wrote:
 
   Wow !
 
   The initial patch I submitted must have been
   incomplete somehow, because I really tested this thing
   on -current.
 
   The reason might be that the first patch didn't include
   #ifdef IPSEC at all. Then someone (maybe me on another machine...)
   who tested it complained
   about kernel not compiling without IPSEC - and I added
   the #ifdef IPSEC without testing it 'since it was such a small
   change'.
 
   Please someone, commit the suggested patch. Also,
   if these changes have gone to 4.9, it might be good to
   include this fix for RELENG_4_9 since it is security related.
 
          Ari S.
 
 [guess it's too late for that last part -- mcl]
 
Responsible-Changed-From-To: freebsd-bugs->luigi 
Responsible-Changed-By: kris 
Responsible-Changed-When: Sat Nov 15 17:10:10 PST 2003 
Responsible-Changed-Why:  
Assign to ipfw author 

http://www.freebsd.org/cgi/query-pr.cgi?pr=58899 

From: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
To: FreeBSD-gnats-submit@FreeBSD.org
Cc: luigi@FreeBSD.org
Subject: Re: kern/58899: [fix] ipfw2 ipsec history option not working
Date: Wed, 19 Nov 2003 22:39:02 +0000 (UTC)

 Hi,
 
 I am currently using this patch on IPSec systems and verified it works
 for me.
 
 I think it really should be commited before 5.2.
 
 remarks:
 yet I have not been able test it on a non-ipsec or fast_ipsec system
 and there is an offset in the patch due to another one I am using.
 
 
 --- ipsec-test/sys/netinet/ip_fw2.c.orig	Tue Nov  4 18:08:00 2003
 +++ ipsec-test/sys/netinet/ip_fw2.c	Tue Nov  4 18:17:18 2003
 @@ -37,6 +37,7 @@
  #include "opt_ipdn.h"
  #include "opt_ipdivert.h"
  #include "opt_inet.h"
 +#include "opt_ipsec.h"
  #ifndef INET
  #error IPFIREWALL requires INET.
  #endif /* INET */
 @@ -2509,7 +2510,9 @@
  		case O_TCPOPTS:
  		case O_ESTAB:
  		case O_VERREVPATH:
 +#if defined(IPSEC) || defined(FAST_IPSEC)
  		case O_IPSEC:
 +#endif
  			if (cmdlen != F_INSN_SIZE(ipfw_insn))
  				goto bad_size;
  			break;
 
 -- 
 Bjoern A. Zeeb				bzeeb at Zabbadoz dot NeT
 56 69 73 69 74				http://www.zabbadoz.net/

From: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc: bzeeb+freebsd@zabbadoz.net, sam@errno.com
Subject: Re: kern/58899: [fix] ipfw2 ipsec history option not working
Date: Sat, 20 Dec 2003 12:27:43 +0000 (UTC)

 >Submitter-Id:	current-users
 >Originator:	Bjoern A. Zeeb
 >Organization:	Zabbadoz.NeT
 >Confidential:	no
 >Synopsis:	Re: kern/58899: [fix] ipfw2 ipsec history option not working
 >Severity:	critical
 >Priority:	high
 >Category:	kern
 >Class:		sw-bug
 >Release:	5.1-CURRENT i386
 >Environment:
 FreeBSD noc.int.zabbadoz.net 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Sat Sep 20 22:19:04 UTC 2003     bz@noc.int.zabbadoz.net:/export/src/src/obj/export/src/src/HEAD/compile-20030920-2028/sys/ZAB2-2003092001  i386
 
 >Fix:
 
 	A patch for the missing include has been
 	committed and man page has been updated to
 	reflect the changes that ipsec option will be
 	ignored if no ipsec is support compiled into kernel.
 	Thus I consider the second half (#ifdef) of may last
 	patch unneeded.
 
 	Please close this PR.
 
State-Changed-From-To: open->closed 
State-Changed-By: sam 
State-Changed-When: Sat Dec 20 15:16:17 PST 2003 
State-Changed-Why:  
change to add the needed #include was committted; the other 
issue is still up for discussion but should probably be tracked 
separately 

http://www.freebsd.org/cgi/query-pr.cgi?pr=58899 
>Unformatted:
