Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 10 Feb 2003 11:47:06 -0700 (MST)
From:      Mike Durian <durian@boogie.com>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   kern/48159: ip_input.c change 1.214 results in double processing
Message-ID:  <200302101847.h1AIl673076415@man.boogie.com>
next in thread | raw e-mail | index | archive | help 

>Number:         48159
>Category:       kern
>Synopsis:       ip_input.c change 1.214 results in double processing
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 10 10:50:02 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Mike Durian
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD man.boogie.com 5.0-CURRENT FreeBSD 5.0-CURRENT #11: Mon Feb 3 15:50:00 MST 2003 root@man.boogie.com:/disk2/obj/disk2/src/sys/BOOGIE i386


	
>Description:
	Despite the following comment from change 1.214 to ip_input.c:

		Get rid of checking for ip sec history. It is true
		that packets are not supposed to be checked by the
		firewall rules twice. However, because the various
		ipsec handlers never call ip_input(), this never
		happens anyway.

	IPsec packets do get processed twice - once as ESP packets and
	once in their decrypted form.  If I back out change 1.214,
	the packets are only processed once as ipfilter documents
	(see http://coombs.anu.edu.au/~avalon/ipfil-flow.html).

>How-To-Repeat:
	Set up a standard IPsec tunnel (don't use additional gif tunnels).
	Let's call the far side a.a.a.0/24.
	Create rules to pass esp packets, but block a.a.a.0/24 packets.
	If change 1.214 is in place, you will not receive traffic from
	a.a.a.0/24 as the decypted packets will be blocked by the block
	rule.  If change 1.214 is removed, you will receive the packets
	as the ESP rule passes them and they are not processed again
	in decrypted form.
>Fix:

	Back out change ip_input.c change 1.214.


>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200302101847.h1AIl673076415>