From owner-freebsd-bugs Mon Feb 10 10:50: 6 2003 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4EAF737B401 for ; Mon, 10 Feb 2003 10:50:04 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A900C43FB1 for ; Mon, 10 Feb 2003 10:50:02 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h1AIo2NS079745 for ; Mon, 10 Feb 2003 10:50:02 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h1AIo2Yi079744; Mon, 10 Feb 2003 10:50:02 -0800 (PST) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C6E2337B40E for ; Mon, 10 Feb 2003 10:47:08 -0800 (PST) Received: from fever.boogie.com (cpe-66-87-52-132.co.sprintbbd.net [66.87.52.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id E9A8343F85 for ; Mon, 10 Feb 2003 10:47:07 -0800 (PST) (envelope-from durian@fever.boogie.com) Received: from man.boogie.com (man [192.168.1.3]) by fever.boogie.com (8.12.6/8.12.6) with ESMTP id h1AIl7Qh000791 for ; Mon, 10 Feb 2003 11:47:07 -0700 (MST) (envelope-from durian@fever.boogie.com) Received: from man.boogie.com (localhost [127.0.0.1]) by man.boogie.com (8.12.6/8.12.6) with ESMTP id h1AIl7cj076416 for ; Mon, 10 Feb 2003 11:47:07 -0700 (MST) (envelope-from durian@man.boogie.com) Received: (from durian@localhost) by man.boogie.com (8.12.6/8.12.6/Submit) id h1AIl673076415; Mon, 10 Feb 2003 11:47:06 -0700 (MST) Message-Id: <200302101847.h1AIl673076415@man.boogie.com> Date: Mon, 10 Feb 2003 11:47:06 -0700 (MST) From: Mike Durian Reply-To: Mike Durian To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: kern/48159: ip_input.c change 1.214 results in double processing Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 48159 >Category: kern >Synopsis: ip_input.c change 1.214 results in double processing >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Feb 10 10:50:02 PST 2003 >Closed-Date: >Last-Modified: >Originator: Mike Durian >Release: FreeBSD 5.0-CURRENT i386 >Organization: >Environment: System: FreeBSD man.boogie.com 5.0-CURRENT FreeBSD 5.0-CURRENT #11: Mon Feb 3 15:50:00 MST 2003 root@man.boogie.com:/disk2/obj/disk2/src/sys/BOOGIE i386 >Description: Despite the following comment from change 1.214 to ip_input.c: Get rid of checking for ip sec history. It is true that packets are not supposed to be checked by the firewall rules twice. However, because the various ipsec handlers never call ip_input(), this never happens anyway. IPsec packets do get processed twice - once as ESP packets and once in their decrypted form. If I back out change 1.214, the packets are only processed once as ipfilter documents (see http://coombs.anu.edu.au/~avalon/ipfil-flow.html). >How-To-Repeat: Set up a standard IPsec tunnel (don't use additional gif tunnels). Let's call the far side a.a.a.0/24. Create rules to pass esp packets, but block a.a.a.0/24 packets. If change 1.214 is in place, you will not receive traffic from a.a.a.0/24 as the decypted packets will be blocked by the block rule. If change 1.214 is removed, you will receive the packets as the ESP rule passes them and they are not processed again in decrypted form. >Fix: Back out change ip_input.c change 1.214. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message