From root@gfk.ru  Sat Dec 10 11:06:55 2005
Return-Path: <root@gfk.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9440A16A41F
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 10 Dec 2005 11:06:55 +0000 (GMT)
	(envelope-from root@gfk.ru)
Received: from md.gfk.ru (md.f231.gfk.ru [84.21.231.130])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A58C243D66
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 10 Dec 2005 11:06:53 +0000 (GMT)
	(envelope-from root@gfk.ru)
Received: from free.home.local ([10.0.6.45])
	by md.gfk.ru (md.gfk.ru [84.21.231.130])
	(MDaemon.PRO.v6.8.5.R)
	with ESMTP id 7-md50000000023.tmp
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 10 Dec 2005 14:06:38 +0300
Received: from free.home.local (localhost [127.0.0.1])
	by free.home.local (8.13.4/8.13.4) with ESMTP id jBAB6IIX001195;
	Sat, 10 Dec 2005 14:06:20 +0300 (MSK)
	(envelope-from root@gfk.ru)
Received: (from root@localhost)
	by free.home.local (8.13.4/8.13.4/Submit) id jBAB1mPB001098;
	Sat, 10 Dec 2005 14:01:48 +0300 (MSK)
	(envelope-from root)
Message-Id: <200512101101.jBAB1mPB001098@free.home.local>
Date: Sat, 10 Dec 2005 14:01:48 +0300 (MSK)
From: Yuriy Tsibizov <Yuriy.Tsibizov@gfk.ru>
Reply-To: Yuriy Tsibizov <Yuriy.Tsibizov@gfk.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc: Yuriy Tsibizov <Yuriy.Tsibizov@gfk.ru>
Subject: IPSEC_FILTERGIF documentation is incomplete
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         90181
>Category:       kern
>Synopsis:       [NOTES] [patch] IPSEC_FILTERGIF documentation is incomplete
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bz
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Dec 10 11:10:03 GMT 2005
>Closed-Date:    Wed Aug 08 12:35:51 GMT 2007
>Last-Modified:  Wed Aug 08 12:35:51 GMT 2007
>Originator:     Yuriy Tsibizov
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD free.home.local 7.0-CURRENT FreeBSD 7.0-CURRENT #1: Sat Dec 10 12:16:33 MSK 2005 chibis@free.home.local:/usr/obj/usr/src/sys/FREE-IPSEC i386

>Description:
    /usr/src/sys/conf/NOTES does not document all consequences of adding
    IPSEC_FILTERGIF to kernel configuration. It decribes that this option
    only affects decrypted packets coming from IPSec-encrypted gif tunnel. 
    In reality it will also allow filtering of all decryped IPSec data 
    (like transport mode ESP tunnels). 
    ipfw "ipsec" option also work for all decrypted packets, if this kernel
    option is enabled.

>How-To-Repeat:
    I can't check it on real network, only on loopback (lo0).

    (kernel configuration:
options 	IPSEC			#IP security
options 	IPSEC_ESP		#IP security (crypto; define w/ IPSEC)
options 	IPSEC_FILTERGIF		#filter ipsec packets from a tunnel

options 	IPFIREWALL		#firewall
options 	IPFIREWALL_VERBOSE	#enable logging to syslogd(8)
options 	IPFIREWALL_VERBOSE_LIMIT=100	#limit verbosity
    )

    1. Add IPSEC configuration for lo0 interface:
setkey flush;
setkey add 127.0.0.1 127.0.0.1 esp 0x1001 -E des-cbc 0x0000000000000001;

setkey 127.0.0.1/32 127.0.0.1/32 any -P out ipsec esp/tunnel/127.0.0.1-127.0.0.1/require;
setkey 127.0.0.1/32 127.0.0.1/32 any -P in  ipsec esp/tunnel/127.0.0.1-127.0.0.1/require;

    2. Add IPFW configuration:
ipfw flush
ipfw add allow log logamount 100 esp from any to any
ipfw add deny log logamount 100 ip from any to any

    3. Ping localhost

    4. Look into security log, you will get
Dec 10 12:25:15 free kernel: ipfw: 100 Accept P:50 127.0.0.1 127.0.0.1 out via lo0
Dec 10 12:25:15 free kernel: ipfw: 100 Accept P:50 127.0.0.1 127.0.0.1 in via lo0
Dec 10 12:25:15 free kernel: ipfw: 200 Deny ICMP:8.0 127.0.0.1 127.0.0.1 in via lo0

    5. Change IPFW configuration:
ipfw flush
ipfw add allow log logamount 100 esp from any to any
ipfw add allow log logamount 100 ip from any to any ipsec
ipfw add deny log logamount 100 ip from any to any

    6. Ping localhost

    7. You will get
Dec 10 12:32:36 free kernel: ipfw: 100 Accept P:50 127.0.0.1 127.0.0.1 out via lo0
Dec 10 12:32:36 free kernel: ipfw: 100 Accept P:50 127.0.0.1 127.0.0.1 in via lo0
Dec 10 12:32:36 free kernel: ipfw: 200 Accept ICMP:0.0 127.0.0.1 127.0.0.1 in via lo0
    in your seurity log.
    
>Fix:
    Update NOTES:
#
# Set IPSEC_FILTERGIF to force packets coming from IPSec
# to be processed by any configured packet filtering (ipfw, ipf).
# The default is that these packets are _not_ processed;
# they are assumed trusted.
#
# IPSEC history is preserved for such packets, and can be filtered
# using ipfw(8)'s 'ipsec' keyword, when this option is enabled.
#

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: bz 
State-Changed-When: Wed Aug 8 12:34:18 UTC 2007 
State-Changed-Why:  
Close PR on submitters request. 
With my commit[1] things are explained a bit better. 

[1] http://docs.freebsd.org/cgi/mid.cgi?200708051616.l75GGGe4018242 


Responsible-Changed-From-To: freebsd-bugs->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Wed Aug 8 12:34:18 UTC 2007 
Responsible-Changed-Why:  
Assign to myself in case of follow-ups. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=90181 
>Unformatted:
