Date: Tue, 4 Nov 2003 08:52:25 +0200 From: Ari Suutari <ari.suutari@syncrontech.com> To: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>, FreeBSD-gnats-submit@freebsd.org Cc: security@freebsd.org Subject: Re: [fix] ipfw2 ipsec history option not working Message-ID: <200311040852.25359.ari.suutari@syncrontech.com> In-Reply-To: <20031103220824.DBCF7153F6@mail.int.zabbadoz.net> References: <20031103220824.DBCF7153F6@mail.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Wow ! The initial patch I submitted must have been incomplete somehow, because I really tested this thing on -current. The reason might be that the first patch didn't include #ifdef IPSEC at all. Then someone (maybe me on another machine...) who tested it complained about kernel not compiling without IPSEC - and I added the #ifdef IPSEC without testing it 'since it was such a small change'. Please someone, commit the suggested patch. Also, if these changes have gone to 4.9, it might be good to include this fix for RELENG_4_9 since it is security related. Ari S. On Tuesday 04 November 2003 00:08, Bjoern A. Zeeb wrote: > >Submitter-Id: current-users > >Originator: Bjoern A. Zeeb > >Organization: Zabbadoz.NeT > >Confidential: no > >Synopsis: [fix] ipfw2 ipsec history option not working > >Severity: critical > >Priority: high > >Category: kern > >Class: sw-bug > >Release: 5.1-CURRENT i386 > >Environment: > > FreeBSD noc.int.zabbadoz.net 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Sat Sep 20 > 22:19:04 UTC 2003 > bz@noc.int.zabbadoz.net:/export/src/src/obj/export/src/src/HEAD/compile-200 >30920-2028/sys/ZAB2-2003092001 i386 > > >Description: > > The patch applied at 4 Jul 2003 [1] > from http://www.freebsd.org/cgi/query-pr.cgi?pr=53624 > will not work in current and might never have worked > the way it should and is documented. > > The problem is that #ifdef IPSEC in sys/netinet/ip_fw2.c > will never match because opt_ipsec.h is never included. > > Further more because only the check in the verify > path (ipfw_chk) is #ifdef'ed and not the path where > the rules get checked before insertion (check_ipfw_struct) > __there will be no complaints when > adding a rule with ipsec option__ ! > > [1] > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_fw2.c.diff?r1=1.33 >&r2=1.34 > > >How-To-Repeat: > > add a rule that should match all traffic with > ipsec history with log option at appropriate place > in your ruleset; s.th. like: > > ipfw add ... log ip from any to any ipsec > > there will be no match logged; > > > alternatively you may simply grep for ipsec_gethist > in ip_fw2.o; this also will not find a match though it > should be in there. > > >Fix: > > this patch has been verified to make O_IPSEC work > for me with IPSEC; it has not been verified to work > with FAST_IPSEC. > > additionaly one may also add s.th. like > #if defined(IPSEC) || defined(FAST_IPSEC) > for O_IPSEC in check_ipfw_struct(). > > > --- sys/netinet/ip_fw2.c.orig Mon Nov 3 18:24:57 2003 > +++ sys/netinet/ip_fw2.c Mon Nov 3 20:47:58 2003 > @@ -37,6 +37,7 @@ > #include "opt_ipdn.h" > #include "opt_ipdivert.h" > #include "opt_inet.h" > +#include "opt_ipsec.h" > #ifndef INET > #error IPFIREWALL requires INET. > #endif /* INET */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311040852.25359.ari.suutari>