From ari.suutari@syncrontech.com  Mon Nov  3 22:52:33 2003
Return-Path: <ari.suutari@syncrontech.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4149316A4CE; Mon,  3 Nov 2003 22:52:33 -0800 (PST)
Received: from cocoa.syncrontech.com (cocoa-e0.syncrontech.com [62.71.8.66])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id BC29043F85; Mon,  3 Nov 2003 22:52:29 -0800 (PST)
	(envelope-from ari.suutari@syncrontech.com)
Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.19])
	by cocoa.syncrontech.com (8.12.8p2/8.12.8) with ESMTP id hA46qQEQ017449;
	Tue, 4 Nov 2003 08:52:27 +0200 (EET)
	(envelope-from ari.suutari@syncrontech.com)
Received: from coffee.syncrontech.com (coffee.syncrontech.com [62.71.8.37])
	by guinness.syncrontech.com (8.12.8p2/8.12.8) with ESMTP id hA46qMC5036170;
	Tue, 4 Nov 2003 08:52:22 +0200 (EET)
	(envelope-from ari.suutari@syncrontech.com)
Message-Id: <200311040852.25359.ari.suutari@syncrontech.com>
Date: Tue, 4 Nov 2003 08:52:25 +0200
From: Ari Suutari <ari.suutari@syncrontech.com>
To: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>,
	FreeBSD-gnats-submit@freebsd.org
Cc: bzeeb+freebsd@zabbadoz.net, ipfw@freebsd.org,
	security@freebsd.org
In-Reply-To: <20031103220824.DBCF7153F6@mail.int.zabbadoz.net>
Subject: Re: [fix] ipfw2 ipsec history option not working
References: <20031103220824.DBCF7153F6@mail.int.zabbadoz.net>

>Number:         58910
>Category:       kern
>Synopsis:       Re: [fix] ipfw2 ipsec history option not working
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov 03 23:00:35 PST 2003
>Closed-Date:    Tue Nov 11 13:23:44 PST 2003
>Last-Modified:  Tue Nov 11 13:23:44 PST 2003
>Originator:     
>Release:        
>Organization:
>Environment:
>Description:
 Wow ! 
 
 The initial patch I submitted must have been
 incomplete somehow, because I really tested this thing
 on -current. 
 
 The reason might be that the first patch didn't include 
 #ifdef IPSEC at all. Then someone (maybe me on another machine...)
 who tested it complained
 about kernel not compiling without IPSEC - and I added
 the #ifdef IPSEC without testing it 'since it was such a small
 change'.
 
 Please someone, commit the suggested patch. Also, 
 if these changes have gone to 4.9, it might be good to
 include this fix for RELENG_4_9 since it is security related.
 
 	Ari S.
 
 On Tuesday 04 November 2003 00:08, Bjoern A. Zeeb wrote:
 > >Submitter-Id:	current-users
 > >Originator:	Bjoern A. Zeeb
 > >Organization:	Zabbadoz.NeT
 > >Confidential:	no
 > >Synopsis:	[fix] ipfw2 ipsec history option not working
 > >Severity:	critical
 > >Priority:	high
 > >Category:	kern
 > >Class:		sw-bug
 > >Release:	5.1-CURRENT i386
 > >Environment:
 >
 > FreeBSD noc.int.zabbadoz.net 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Sat Sep 20
 > 22:19:04 UTC 2003    
 > bz@noc.int.zabbadoz.net:/export/src/src/obj/export/src/src/HEAD/compile-200
 >30920-2028/sys/ZAB2-2003092001  i386
 >
 > >Description:
 >
 > 	The patch applied at 4 Jul 2003 [1]
 > 	from http://www.freebsd.org/cgi/query-pr.cgi?pr=53624
 > 	will not work in current and might never have worked
 > 	the way it should and is documented.
 >
 > 	The problem is that #ifdef IPSEC in sys/netinet/ip_fw2.c
 > 	will never match because opt_ipsec.h is never included.
 >
 > 	Further more because only the check in the verify
 > 	path (ipfw_chk) is #ifdef'ed and not the path where
 > 	the rules get checked before insertion (check_ipfw_struct)
 > 	   __there will be no complaints when
 > 	     adding a rule with ipsec option__ !
 >
 > 	[1]
 > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_fw2.c.diff?r1=1.33
 >&r2=1.34
 >
 > >How-To-Repeat:
 >
 > 	add a rule that should match all traffic with
 > 	ipsec history with log option at appropriate place
 > 	in your ruleset; s.th. like:
 >
 > 	ipfw add ... log ip from any to any ipsec
 >
 > 	there will be no match logged;
 >
 >
 > 	alternatively you may simply grep for ipsec_gethist
 > 	in ip_fw2.o; this also will not find a match though it
 > 	should be in there.
 >
 > >Fix:
 >
 > 	this patch has been verified to make O_IPSEC work
 > 	for me with IPSEC; it has not been verified to work
 > 	with FAST_IPSEC.
 >
 > 	additionaly one may also add s.th. like
 > 	#if defined(IPSEC) || defined(FAST_IPSEC)
 > 	for O_IPSEC in check_ipfw_struct().
 >
 >
 > --- sys/netinet/ip_fw2.c.orig	Mon Nov  3 18:24:57 2003
 > +++ sys/netinet/ip_fw2.c	Mon Nov  3 20:47:58 2003
 > @@ -37,6 +37,7 @@
 >  #include "opt_ipdn.h"
 >  #include "opt_ipdivert.h"
 >  #include "opt_inet.h"
 > +#include "opt_ipsec.h"
 >  #ifndef INET
 >  #error IPFIREWALL requires INET.
 >  #endif /* INET */
 
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-ports-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Nov 5 21:32:02 PST 2003 
Responsible-Changed-Why:  
Assign to proper category.  However, this seems to be a misplaced 
followup. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=58910 
State-Changed-From-To: open->closed 
State-Changed-By: linimon 
State-Changed-When: Tue Nov 11 13:23:15 PST 2003 
State-Changed-Why:  
Misfiled followup to kern/58899. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=58910 
>Unformatted:
