From ari@mato.dyndns.suutari.iki.fi  Thu Nov  4 09:19:31 2004
Return-Path: <ari@mato.dyndns.suutari.iki.fi>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 78FCD16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  4 Nov 2004 09:19:31 +0000 (GMT)
Received: from fep19.inet.fi (fep19.inet.fi [194.251.242.244])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 29EFB43D31
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  4 Nov 2004 09:19:30 +0000 (GMT)
	(envelope-from ari@mato.dyndns.suutari.iki.fi)
Received: from mato.dyndns.suutari.iki.fi ([80.222.160.96])
          by fep19.inet.fi with ESMTP
          id <20041104091928.IUCX5926.fep19.inet.fi@mato.dyndns.suutari.iki.fi>
          for <FreeBSD-gnats-submit@freebsd.org>;
          Thu, 4 Nov 2004 11:19:28 +0200
Received: from mato.dyndns.suutari.iki.fi (localhost [127.0.0.1])
	by mato.dyndns.suutari.iki.fi (8.13.1/8.13.1) with ESMTP id iA49JPJS001544
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 4 Nov 2004 11:19:28 +0200 (EET)
	(envelope-from ari@mato.dyndns.suutari.iki.fi)
Received: (from ari@localhost)
	by mato.dyndns.suutari.iki.fi (8.13.1/8.13.1/Submit) id iA49JPh3001543;
	Thu, 4 Nov 2004 11:19:25 +0200 (EET)
	(envelope-from ari)
Message-Id: <200411040919.iA49JPh3001543@mato.dyndns.suutari.iki.fi>
Date: Thu, 4 Nov 2004 11:19:25 +0200 (EET)
From: Ari Suutari <ari@suutari.iki.fi>
Reply-To: Ari Suutari <ari@suutari.iki.fi>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: pfil_hooks (ipfw,pf etc) and ipsec processing order for outgoing packets is wrong
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         73517
>Category:       kern
>Synopsis:       [pfil] pfil_hooks (ipfw,pf etc) and ipsec processing order for outgoing packets is wrong
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    csjp
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 04 09:20:26 GMT 2004
>Closed-Date:    Fri Nov 16 09:05:27 UTC 2007
>Last-Modified:  Wed Sep  7 19:50:06 UTC 2011
>Originator:     Ari Suutari
>Release:        FreeBSD 5.3-RC2 i386
>Organization:
>Environment:
System: FreeBSD mato.suutari.iki.fi 5.3-RC2 FreeBSD 5.3-RC2 #13: Wed Nov 3 17:47:15 EET 2004 ari@mato.suutari.iki.fi:/usr/obj/usr/src/sys/MATO i386


>Description:
When using IPSEC_FILTERGIF kernel option, the processing order of ipsec and
ipfw (pfil_hook) is not correct for outgoing packets.
Currently, ipsec processing is done first regardsless of IPSEC_FILTERGIF,
which makes packets to go through without firewall inspection.
This might be a security problem for someone, but at least it
breaks stateful rule handling.

My test setup is (all freebsd 5.3-rc1 machines):

freebsd laptop <-> ipsec tunnel <->freebsd server

When server sends packet to laptop, it now goes like this:

ip_output -> ipsec -> ipfw -> network

It should go like this:

ip_output -> ipfw -> ipsec -> ipfw -> network

>How-To-Repeat:
Compiler kernel with ipsec and IPSEC_FILTERGIF options. Create
ipsec policy, which uses esp between two machines. Add firewall 
rules like

ipfw add count esp from a to b
ipfw add count esp from b to a
ipfw add count icmp from a to b
ipfw add count icmp from b to a

Start pinging from a to b. You'll notice that only one
of the icmp counters increases.

>Fix:
I think that this could be fixed by just moving/adding pfil_hook
processing in ip_output before ipsec processing when IPSEC_FILTERGIF
is enabled.

I received example patch from Mr. Joost Bekkers (http://jodocus.org/ipsec-pfil.diff ),
but it doesn't fully work for kame IPSEC (kame ipsec seems to require having
pfil_hooks both before ipsec and after it, FAST_IPSEC queues the packet back
to ip_output so it works correctly with proposed fix).
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: kmacy 
State-Changed-When: Fri Nov 16 08:15:07 UTC 2007 
State-Changed-Why:  

Is this issue still present? I was under the impression that you fixed it. 


Responsible-Changed-From-To: freebsd-bugs->csjp 
Responsible-Changed-By: kmacy 
Responsible-Changed-When: Fri Nov 16 08:15:07 UTC 2007 
Responsible-Changed-Why:  

Is this issue still present? I was under the impression that you fixed it.  

http://www.freebsd.org/cgi/query-pr.cgi?pr=73517 
State-Changed-From-To: feedback->closed 
State-Changed-By: kmacy 
State-Changed-When: Fri Nov 16 09:04:27 UTC 2007 
State-Changed-Why:  

The submitter has not seen this since upgrading. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=73517 

From: Luoqi Chen <lchen@fountontech.com>
To: "bug-followup@FreeBSD.org" <bug-followup@FreeBSD.org>,
	"ari@suutari.iki.fi" <ari@suutari.iki.fi>
Cc:  
Subject: Re: kern/73517: [pfil] pfil_hooks (ipfw,pf etc) and ipsec
 processing order for outgoing packets is wrong
Date: Wed, 7 Sep 2011 12:26:45 -0700

 --_000_3FA4D432DFCFA64E859A9742CB0DBF57044DDF5151VA3DIAXVS791R_
 Content-Type: text/plain; charset="us-ascii"
 Content-Transfer-Encoding: base64
 
 SXQgc2VlbXMgdGhhdCB0aGlzIGlzc3VlIGhhcyBub3QgYmVlbiBmaXhlZCwgaW4gdHJhbnNwb3J0
 IG1vZGUgcHJlLWVzcCBwYWNrZXRzIHN0aWxsIG9ubHkgZ28gdGhyb3VnaCBwZmlsIGhvb2tzIG9u
 IGlucHV0IGFuZCB0aGF0IHNjcmV3cyB1cCBzdGF0ZSB0cmFja2luZy4gSSd2ZSBhbHNvIGNoZWNr
 ZWQgd2l0aCBzdm4gaGVhZCwgdGhlIHByb2Nlc3Mgb3JkZXIgaGFzIG5vdCBiZWVuIGNoYW5nZWQg
 aW4gdGhlIGNvZGUuDQo=
 
 --_000_3FA4D432DFCFA64E859A9742CB0DBF57044DDF5151VA3DIAXVS791R_
 Content-Type: text/html; charset="us-ascii"
 Content-Transfer-Encoding: base64
 
 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
 bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
 YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
 cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
 VFIvUkVDLWh0bWw0MCI+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu
 dD0idGV4dC9odG1sOyBjaGFyc2V0PXVzLWFzY2lpIj48bWV0YSBuYW1lPUdlbmVyYXRvciBjb250
 ZW50PSJNaWNyb3NvZnQgV29yZCAxNCAoZmlsdGVyZWQgbWVkaXVtKSI+PHN0eWxlPjwhLS0NCi8q
 IEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6U2ltU3VuOw0K
 CXBhbm9zZS0xOjIgMSA2IDAgMyAxIDEgMSAxIDE7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWls
 eTpTaW1TdW47DQoJcGFub3NlLTE6MiAxIDYgMCAzIDEgMSAxIDEgMTt9DQpAZm9udC1mYWNlDQoJ
 e2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAyIDQ7fQ0K
 QGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseToiXEBTaW1TdW4iOw0KCXBhbm9zZS0xOjIgMSA2IDAg
 MyAxIDEgMSAxIDE7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5N
 c29Ob3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4w
 MDAxcHQ7DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMt
 c2VyaWYiO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9yaXR5
 Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZpc2l0
 ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0K
 CWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnNwYW4uRW1haWxT
 dHlsZTE3DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLWNvbXBvc2U7DQoJZm9udC1mYW1pbHk6
 IkNhbGlicmkiLCJzYW5zLXNlcmlmIjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCi5Nc29DaHBEZWZh
 dWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp
 Iiwic2Fucy1zZXJpZiI7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGlu
 Ow0KCW1hcmdpbjoxLjBpbiAxLjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJ
 e3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+
 DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+
 PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4
 dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxh
 eW91dD48L3htbD48IVtlbmRpZl0tLT48L2hlYWQ+PGJvZHkgbGFuZz1FTi1VUyBsaW5rPWJsdWUg
 dmxpbms9cHVycGxlPjxkaXYgY2xhc3M9V29yZFNlY3Rpb24xPjxwIGNsYXNzPU1zb05vcm1hbD5J
 dCBzZWVtcyB0aGF0IHRoaXMgaXNzdWUgaGFzIG5vdCBiZWVuIGZpeGVkLCBpbiB0cmFuc3BvcnQg
 bW9kZSBwcmUtZXNwIHBhY2tldHMgc3RpbGwgb25seSBnbyB0aHJvdWdoIHBmaWwgaG9va3Mgb24g
 aW5wdXQgYW5kIHRoYXQgc2NyZXdzIHVwIHN0YXRlIHRyYWNraW5nLiBJJiM4MjE3O3ZlIGFsc28g
 Y2hlY2tlZCB3aXRoIHN2biBoZWFkLCB0aGUgcHJvY2VzcyBvcmRlciBoYXMgbm90IGJlZW4gY2hh
 bmdlZCBpbiB0aGUgY29kZS48bzpwPjwvbzpwPjwvcD48L2Rpdj48L2JvZHk+PC9odG1sPg==
 
 --_000_3FA4D432DFCFA64E859A9742CB0DBF57044DDF5151VA3DIAXVS791R_--
>Unformatted:
