From owner-svn-src-stable-11@freebsd.org  Fri Nov 24 04:42:23 2017
Return-Path: <owner-svn-src-stable-11@freebsd.org>
Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4ACE3DB973D;
 Fri, 24 Nov 2017 04:42:23 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 1F7216552B;
 Fri, 24 Nov 2017 04:42:23 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vAO4gMKK002194;
 Fri, 24 Nov 2017 04:42:22 GMT (envelope-from ae@FreeBSD.org)
Received: (from ae@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id vAO4gM9D002192;
 Fri, 24 Nov 2017 04:42:22 GMT (envelope-from ae@FreeBSD.org)
Message-Id: <201711240442.vAO4gM9D002192@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org
 using -f
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Date: Fri, 24 Nov 2017 04:42:22 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r326142 - in stable/11/sys: modules/ipfw netpfil/ipfw
X-SVN-Group: stable-11
X-SVN-Commit-Author: ae
X-SVN-Commit-Paths: in stable/11/sys: modules/ipfw netpfil/ipfw
X-SVN-Commit-Revision: 326142
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-11@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: SVN commit messages for only the 11-stable src tree
 <svn-src-stable-11.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-11/>
List-Post: <mailto:svn-src-stable-11@freebsd.org>
List-Help: <mailto:svn-src-stable-11-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Nov 2017 04:42:23 -0000

Author: ae
Date: Fri Nov 24 04:42:21 2017
New Revision: 326142
URL: https://svnweb.freebsd.org/changeset/base/326142

Log:
  MFC r325960:
    Unconditionally enable support for O_IPSEC opcode.
  
    IPsec support can be loaded as kernel module, thus do not depend from
    kernel option IPSEC and always build O_IPSEC opcode implementation as
    enabled.
  
  MFC r325962:
    Do not invoke IPv4 NAT handler for non IPv4 packets. Libalias expects
    a packet is IPv4. And in case when it is IPv6, it just translates them
    as IPv4. This leads to corruption and in some cases to panics.
    In particular a panic can happen when value of ip6_plen modified to
    something that leads to IP fragmentation, but actual packet length does
    not match the IP length.
  
    Packets that are not IPv4 will be dropped by NAT rule.

Modified:
  stable/11/sys/modules/ipfw/Makefile
  stable/11/sys/netpfil/ipfw/ip_fw2.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/modules/ipfw/Makefile
==============================================================================
--- stable/11/sys/modules/ipfw/Makefile	Fri Nov 24 02:39:38 2017	(r326141)
+++ stable/11/sys/modules/ipfw/Makefile	Fri Nov 24 04:42:21 2017	(r326142)
@@ -7,7 +7,7 @@ SRCS=	ip_fw2.c ip_fw_pfil.c ip_fw_bpf.c
 SRCS+=	ip_fw_dynamic.c ip_fw_log.c ip_fw_eaction.c
 SRCS+=	ip_fw_sockopt.c ip_fw_table.c ip_fw_table_algo.c ip_fw_iface.c
 SRCS+=	ip_fw_table_value.c
-SRCS+=	opt_inet.h opt_inet6.h opt_ipdivert.h opt_ipfw.h opt_ipsec.h
+SRCS+=	opt_inet.h opt_inet6.h opt_ipdivert.h opt_ipfw.h
 
 CFLAGS+= -DIPFIREWALL
 #

Modified: stable/11/sys/netpfil/ipfw/ip_fw2.c
==============================================================================
--- stable/11/sys/netpfil/ipfw/ip_fw2.c	Fri Nov 24 02:39:38 2017	(r326141)
+++ stable/11/sys/netpfil/ipfw/ip_fw2.c	Fri Nov 24 04:42:21 2017	(r326142)
@@ -37,7 +37,6 @@ __FBSDID("$FreeBSD$");
 #error "IPFIREWALL requires INET"
 #endif /* INET */
 #include "opt_inet6.h"
-#include "opt_ipsec.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -1945,10 +1944,8 @@ do {								\
 				break;
 
 			case O_IPSEC:
-#ifdef IPSEC
 				match = (m_tag_find(m,
 				    PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL);
-#endif
 				/* otherwise no match */
 				break;
 
@@ -2563,7 +2560,11 @@ do {								\
 			case O_NAT:
 				l = 0;          /* exit inner loop */
 				done = 1;       /* exit outer loop */
- 				if (!IPFW_NAT_LOADED) {
+				/*
+				 * Ensure that we do not invoke NAT handler for
+				 * non IPv4 packets. Libalias expects only IPv4.
+				 */
+				if (!is_ipv4 || !IPFW_NAT_LOADED) {
 				    retval = IP_FW_DENY;
 				    break;
 				}