From owner-freebsd-net Mon Feb 10 10:38: 1 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1228B37B401; Mon, 10 Feb 2003 10:38:00 -0800 (PST) Received: from fever.boogie.com (cpe-66-87-52-132.co.sprintbbd.net [66.87.52.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6101B43F93; Mon, 10 Feb 2003 10:37:58 -0800 (PST) (envelope-from durian@boogie.com) Received: from man.boogie.com (man [192.168.1.3]) by fever.boogie.com (8.12.6/8.12.6) with ESMTP id h1AIbkQh000712; Mon, 10 Feb 2003 11:37:46 -0700 (MST) (envelope-from durian@boogie.com) From: Mike Durian To: Andriy Gapon , freebsd-net@FreeBSD.ORG Subject: Re: ipsec & ipfw: 4.7-release vs -stable Date: Mon, 10 Feb 2003 11:37:45 -0700 User-Agent: KMail/1.5 Cc: Guido van Rooij References: <20030210114109.G53494@edge.foundation.invalid> In-Reply-To: <20030210114109.G53494@edge.foundation.invalid> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200302101137.45763.durian@boogie.com> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Monday 10 February 2003 09:42 am, Andriy Gapon wrote: > > The reason I am asking this question with such a big crosspost is that it > seems that all previous discussions on this topic resulted in nothing. And > this change definetely breaks things for those who use ipsec without extra > stuff like gif tunnels. It definetely doesn't look like a kind of change > welcomed in -stable branch, not mentioning a potential security > vulnaribity for those who can not use gif. I'd like to confirm this. I just backed out change ip_input.c 1.214 on my -current box and the double processing problem went away. With change 1.214 in place, ESP packets are process twice, once as ESP packets and once in their decrypted form. So, despite the comment in the commit message: Get rid of checking for ip sec history. It is true that packets are not supposed to be checked by the firewall rules twice. However, because the various ipsec handlers never call ip_input(), this never happens anyway. It looks like ipsec must be calling ip_input() somewhere. I too would like to see ipfilter behave as documented (in -current too) and not re-process decrypted ESP packets. Perhaps change 1.214 can be reworked or reverted? I'll file a PR. mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message