Date: Thu, 4 Nov 2004 11:19:25 +0200 (EET) From: Ari Suutari <ari@suutari.iki.fi> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/73517: pfil_hooks (ipfw,pf etc) and ipsec processing order for outgoing packets is wrong Message-ID: <200411040919.iA49JPh3001543@mato.dyndns.suutari.iki.fi> Resent-Message-ID: <200411040920.iA49KQc6072747@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 73517 >Category: kern >Synopsis: pfil_hooks (ipfw,pf etc) and ipsec processing order for outgoing packets is wrong >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 04 09:20:26 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Ari Suutari >Release: FreeBSD 5.3-RC2 i386 >Organization: >Environment: System: FreeBSD mato.suutari.iki.fi 5.3-RC2 FreeBSD 5.3-RC2 #13: Wed Nov 3 17:47:15 EET 2004 ari@mato.suutari.iki.fi:/usr/obj/usr/src/sys/MATO i386 >Description: When using IPSEC_FILTERGIF kernel option, the processing order of ipsec and ipfw (pfil_hook) is not correct for outgoing packets. Currently, ipsec processing is done first regardsless of IPSEC_FILTERGIF, which makes packets to go through without firewall inspection. This might be a security problem for someone, but at least it breaks stateful rule handling. My test setup is (all freebsd 5.3-rc1 machines): freebsd laptop <-> ipsec tunnel <->freebsd server When server sends packet to laptop, it now goes like this: ip_output -> ipsec -> ipfw -> network It should go like this: ip_output -> ipfw -> ipsec -> ipfw -> network >How-To-Repeat: Compiler kernel with ipsec and IPSEC_FILTERGIF options. Create ipsec policy, which uses esp between two machines. Add firewall rules like ipfw add count esp from a to b ipfw add count esp from b to a ipfw add count icmp from a to b ipfw add count icmp from b to a Start pinging from a to b. You'll notice that only one of the icmp counters increases. >Fix: I think that this could be fixed by just moving/adding pfil_hook processing in ip_output before ipsec processing when IPSEC_FILTERGIF is enabled. I received example patch from Mr. Joost Bekkers (http://jodocus.org/ipsec-pfil.diff ), but it doesn't fully work for kame IPSEC (kame ipsec seems to require having pfil_hooks both before ipsec and after it, FAST_IPSEC queues the packet back to ip_output so it works correctly with proposed fix). >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200411040919.iA49JPh3001543>