From owner-freebsd-stable@FreeBSD.ORG Sat Jun 5 09:34:54 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3948116A4CE for ; Sat, 5 Jun 2004 09:34:54 -0700 (PDT) Received: from zam151.fz-juelich.de (zam151.fz-juelich.de [134.94.100.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7879F43D48 for ; Sat, 5 Jun 2004 09:34:53 -0700 (PDT) (envelope-from c.lackas@kfa-juelich.de) Received: by zam151.fz-juelich.de (Postfix, from userid 65534) id CEEF572F65; Sat, 5 Jun 2004 18:34:49 +0200 (CEST) Received: from zel726.zel.kfa-juelich.de (localhost [127.0.0.1]) by zam151.fz-juelich.de (Postfix) with ESMTP id 16D8672F41 for ; Sat, 5 Jun 2004 18:34:49 +0200 (CEST) Received: from zel726.zel.kfa-juelich.de (localhost [127.0.0.1]) i55GYmq3047378 for ; Sat, 5 Jun 2004 18:34:48 +0200 (CEST) (envelope-from c.lackas@kfa-juelich.de) Received: (from lackas@localhost)i55GYm7u047377 for freebsd-stable@freebsd.org; Sat, 5 Jun 2004 18:34:48 +0200 (CEST) (envelope-from c.lackas@kfa-juelich.de) Date: Sat, 5 Jun 2004 18:34:48 +0200 From: Christian Lackas To: freebsd-stable@freebsd.org Message-ID: <20040605163448.GA47126@zel726.zel.kfa-juelich.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Accept-Language: de en Organization: Forschungszentrum Juelich X-Url: X-PGP-Fingerprint: E78C 1105 710D D01A 8D1C 5B86 BDF7 6FD4 AC64 9ED9 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on zam151.fz-juelich.de X-Spam-Level: X-Spam-Status: No, hits=-104.9 required=5.0 tests=BAYES_00,USER_IN_WHITELIST autolearn=ham version=2.63 Subject: Cannot get a raw ESP socket with IPFW2 enabled X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Jun 2004 16:34:54 -0000 Hello, I have problems getting a raw ESP socket on a FreeBSD 4.10-RELEASE (and also 4.9-RELEASE and a current 4.10-STABLE) system if IPFW2 is enabled in the kernel configuration: The following test program #include #include #include #include int main() { int fd; fd = socket(PF_INET, SOCK_RAW, IPPROTO_ESP); printf("fd = %d\n", fd); printf("IPPROTO_ESP = %d\n", IPPROTO_ESP); if (fd == -1) perror("socket(SOCK_RAW)"); } gives me a: fd = -1 IPPROTO_ESP = 50 socket(SOCK_RAW): Protocol not supported But without IPFW2 it works: fd = -1 IPPROTO_ESP = 50 socket(SOCK_RAW): Operation not permitted and with root rights it is also permitted: fd = 3 IPPROTO_ESP = 50 Any idea how to fix this? The complete (working) kernel config file can be found under http://www.lackas.net/freebsd/KERNEL.antares In this file neither FAST_IPSEC nor IPSEC (nor IPSEC_ESP) are enabled. BTW: Such a socket is needed by the security/vpnc port. It works perfectly on FreeBSD 5 (which AFAIK uses the firewall that is named IPFW2 unter 4, doesn't it?). The vpnc port handles the complete IPSec stuff in user space, so no support in the kernel is needed (apart from this raw ESP socket). Regards, Christian -- Forschungszentrum Juelich Central Institute For Electronics (ZEL) Leo-Brandt-Strasse 52425 Juelich, Germany Tel: +49-2461-61 2425 Fax: +49-2461-61 3990