From yvan.vanhullebus@netasq.com  Thu Mar  9 14:36:02 2006
Return-Path: <yvan.vanhullebus@netasq.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 49E2B16A420
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  9 Mar 2006 14:36:02 +0000 (GMT)
	(envelope-from yvan.vanhullebus@netasq.com)
Received: from smtp.netasq.com (netasq.netasq.com [213.30.137.178])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DB22C43D46
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  9 Mar 2006 14:36:01 +0000 (GMT)
	(envelope-from yvan.vanhullebus@netasq.com)
Received: from [10.2.0.3] (f1000c001440400601.netasq.com [10.0.0.126])
	by smtp.netasq.com (Postfix) with ESMTP id 2B4402F827
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  9 Mar 2006 15:34:03 +0100 (CET)
Received: by yvan.netasq.int (Postfix, from userid 1000)
	id 4A13154D0; Thu,  9 Mar 2006 15:35:59 +0100 (CET)
Message-Id: <20060309143559.4A13154D0@yvan.netasq.int>
Date: Thu,  9 Mar 2006 15:35:59 +0100 (CET)
From: VANHULLEBUS Yvan <vanhu@netasq.com>
Reply-To: VANHULLEBUS Yvan <vanhu@netasq.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: IPIP decapsulation problem in FAST_IPSEC stack
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         94273
>Category:       kern
>Synopsis:       [ipsec] [patch] IPIP decapsulation problem in FAST_IPSEC stack
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    ae
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 09 14:40:13 GMT 2006
>Closed-Date:    
>Last-Modified:  Fri Apr 04 09:37:11 UTC 2014
>Originator:     VANHULLEBUS Yvan
>Release:        FreeBSD 6.0-STABLE
>Organization:
NETASQ
>Environment:
System: FreeBSD yvan.netasq.int 6.0-STABLE FreeBSD 6.0-STABLE #6:  Tue Dec  6 19:20:56 CET 2005 root@yvan.netasq.int:/usr/src/sys/compile/vanhu i386
>Description:
FAST_IPSEC doesn't correctly remove the IPIP header for Tunneled packets.

It works (guess by accident), because the IPIP header is removed when
the packet is reinjected in ip_input.c, but that implies an extra call
to ip_input.

There is some code to remove the IPIP header in ipsec_input.c, but it
doesn't correctly work.


>How-To-Repeat:
Set up a tunnel mode IPSec conf, and looks what happens in ip_input....


>Fix:
--- netipsec/ipsec_input.c.orig	Thu Mar  9 15:00:26 2006
+++ netipsec/ipsec_input.c	Thu Mar  9 15:01:15 2006
@@ -323,8 +323,6 @@ ipsec4_common_input_cb(struct mbuf *m, s
 
 	/* IP-in-IP encapsulation */
 	if (prot == IPPROTO_IPIP) {
-		struct ip ipn;
-
 		if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
 			IPSEC_ISTAT(sproto, espstat.esps_hdrops,
 			    ahstat.ahs_hdrops,
@@ -332,9 +330,8 @@ ipsec4_common_input_cb(struct mbuf *m, s
 			error = EINVAL;
 			goto bad;
 		}
-		/* ipn will now contain the inner IPv4 header */
-		m_copydata(m, ip->ip_hl << 2, sizeof(struct ip),
-		    (caddr_t) &ipn);
+		/* remove the outer IPv4 header */
+		m_striphdr(m, 0, ip->ip_hl << 2);
 
 #ifdef notyet
 		/* XXX PROXY address isn't recorded in SAH */
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->gnn@freebsd.org 
Responsible-Changed-By: gnn 
Responsible-Changed-When: Fri Mar 10 11:35:15 UTC 2006 
Responsible-Changed-Why:  
Taken for testing and repair. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=94273 

From: "Dmitry Andrianov" <dimas@dataart.com>
To: <bug-followup@FreeBSD.org>,
	<vanhu@netasq.com>
Cc:  
Subject: Re: kern/94273: [netipsec] [patch] IPIP decapsulation problem in FAST_IPSEC stack
Date: Wed, 27 Sep 2006 18:55:27 +0400

 It is more than half an year since the patch was submitted and it is not
 committed to CVS yet. Just wonder whether it will be included with 6.2
 release?
 
 Regards,
 Dmitry Andrianov
 
 PS: there is also a ipsec6_common_input_cb function. Shouldn't it be
 patched the same way?

From: VANHULLEBUS Yvan <vanhu@netasq.com>
To: Dmitry Andrianov <dimas@dataart.com>
Cc: bug-followup@FreeBSD.org
Subject: Re:  kern/94273: [netipsec] [patch] IPIP decapsulation problem in FAST_IPSEC stack
Date: Wed, 27 Sep 2006 17:05:04 +0200

 On Wed, Sep 27, 2006 at 06:55:27PM +0400, Dmitry Andrianov wrote:
 > It is more than half an year since the patch was submitted and it is not
 > committed to CVS yet. Just wonder whether it will be included with 6.2
 > release?
 
 To be more exact, it looks like the patch has been reported to
 RELENG_6 branch, but is disabled.
 
 
 
 > Regards,
 > Dmitry Andrianov
 > 
 > PS: there is also a ipsec6_common_input_cb function. Shouldn't it be
 > patched the same way?
 
 Probably, but as I didn't have an IPv6 build, I couldn't make tests.
 
 
 
 Yvan.
 
 -- 
 NETASQ
 http://www.netasq.com

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/94273: [netipsec] [patch] IPIP decapsulation problem in
 FAST_IPSEC stack
Date: Mon, 31 Dec 2007 12:26:29 +0000 (UTC)

 I had been looking at that code while looking at enc(4). I am not yet
 sure if not going via ip_input again with the ipip header would break
 IPIP over ipsec tunnel modes. I have to investigate that.
 
 This is related to the ipencap rules needed with pf(4) because of the
 extra roundtrip via ip_input.
 
 OpenBSD has code for that but it looks strange reading it. We need to
 be sure to not break anything.
 
 
 PS: gnn if you want you can assign this to me.
 
 -- 
 Bjoern A. Zeeb                                 bzeeb at Zabbadoz dot NeT
 Software is harder than hardware  so better get it right the first time.
Responsible-Changed-From-To: gnn->bz 
Responsible-Changed-By: gnn 
Responsible-Changed-When: Tue Jun 15 17:17:30 UTC 2010 
Responsible-Changed-Why:  
Re-assign. This might already be fixed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=94273 
Responsible-Changed-From-To: bz->ae 
Responsible-Changed-By: ae 
Responsible-Changed-When: Fri Apr 4 09:36:44 UTC 2014 
Responsible-Changed-Why:  
I'm working on this now. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=94273 
>Unformatted:
