It also effect ipsec gif tunnel. And it can not match or NAT the traffic in
tunnel neither.

-- 
@hshh

This is a multi-part message in MIME format.

Case confirmed. 

See also:
http://forums.freebsd.org/viewtopic.php?f=44&t=44414
http://forums.freebsd.org/viewtopic.php?f=39&t=26755&start=100#p248323

Hello,

Same issue with pf. It's not specific to ipfw.


-- 
Nicolas DEFFAYET

Comment 5 Alexander V. Chernikov 2014-02-07 05:53:58 UTC

Responsible Changed
From-To: freebsd-bugs->melifaro

Take.

After very long testing, i have discovered the route cause.

The revision 254519 break the firewall with IPsec.
http://svnweb.freebsd.org/base?view=revision&revision=254519

"Move the global M_SKIP_FIREWALL mbuf flags to a protocol layer specific
flag instead.  The flag is only used within the IP and IPv6 layer 3
protocols.

Because some firewall packages treat IPv4 and IPv6 packets the same the
flag should have the same value for both."

It seem that some code doesn't have been updated for allow firewall to
work with IPsec.

-- 
Nicolas DEFFAYET

Case confirmed. Reversing revision 254519 on 10-STABLE resolves the problem. Because there is a conflict on"sys/sys/mbuf.h" with svn when applying "svn merge -c -254519" I used the following patch:

--- sys/sys/mbuf.h      (revision 262373)
+++ sys/sys/mbuf.h      (working copy)
@@ -221,6 +221,7 @@
 #define        M_MCAST         0x00000020 /* send/received as link-level multicast */
 #define        M_PROMISC       0x00000040 /* packet was not for us */
 #define        M_VLANTAG       0x00000080 /* ether_vtag is valid */
+#define       M_SKIP_FIREWALL 0x00000090
 #define        M_FLOWID        0x00000100 /* deprecated: flowid is valid */
 #define        M_NOFREE        0x00000200 /* do not free mbuf, embedded in cluster */
 
@@ -248,7 +249,7 @@
  * Flags preserved when copying m_pkthdr.
  */
 #define M_COPYFLAGS \
-    (M_PKTHDR|M_EOR|M_RDONLY|M_BCAST|M_MCAST|M_VLANTAG|M_PROMISC| \
+    (M_PKTHDR|M_EOR|M_RDONLY|M_SKIP_FIREWALL|M_BCAST|M_MCAST|M_VLANTAG|M_PROMISC| \
      M_PROTOFLAGS)
 
 /*

Correction of the patch for "sys/sys/mbuf.h":=0A=0A=0A--- sys/sys/mbuf.h=A0=
 =A0 =A0 (revision 262373)=0A+++ sys/sys/mbuf.h=A0 =A0 =A0 (working copy)=
=0A@@ -221,6 +221,7 @@=0A=A0#define=A0 =A0 =A0 =A0 M_MCAST=A0 =A0 =A0 =A0 =
=A00x00000020 /* send/received as link-level multicast */=0A=A0#define=A0 =
=A0 =A0 =A0 M_PROMISC=A0 =A0 =A0 =A00x00000040 /* packet was not for us */=
=0A=A0#define=A0 =A0 =A0 =A0 M_VLANTAG=A0 =A0 =A0 =A00x00000080 /* ether_vt=
ag is valid */=0A+#define=A0 =A0 =A0 =A0 M_SKIP_FIREWALL 0x01000000=0A=A0#d=
efine=A0 =A0 =A0 =A0 M_FLOWID=A0 =A0 =A0 =A0 0x00000100 /* deprecated: flow=
id is valid */=0A=A0#define=A0 =A0 =A0 =A0 M_NOFREE=A0 =A0 =A0 =A0 0x000002=
00 /* do not free mbuf, embedded in cluster */=0A=0A=0A@@ -248,7 +249,7 @@=
=0A=A0 * Flags preserved when copying m_pkthdr.=0A=A0 */=0A=A0#define M_COP=
YFLAGS \=0A-=A0 =A0 (M_PKTHDR|M_EOR|M_RDONLY|M_BCAST|M_MCAST|M_VLANTAG|M_PR=
OMISC| \=0A+=A0 =A0 (M_PKTHDR|M_EOR|M_RDONLY|M_SKIP_FIREWALL|M_BCAST|M_MCAS=
T|M_VLANTAG|M_PROMISC| \=0A=A0 =A0 =A0 M_PROTOFLAGS)=0A=0A=A0/*=A0=A0

=0AThe problem seems to be that M_SKIP_FIREWALL (macro of M_PROTO3) is clea=
red through m_clrprotoflags(), i.e. not transferred between the layers.=0A=
=0AThis is a reversion of the 254519 on 10.0-STABLE:=0A=0AIndex: netinet/ip=
_var.h=0A=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A--- netinet/=
ip_var.h=A0=A0=A0 (revision 262459)=0A+++ netinet/ip_var.h=A0=A0=A0 (workin=
g copy)=0A@@ -163,12 +163,10 @@=0A=A0#define IP_ALLOWBROADCAST=A0=A0=A0 SO_=
BROADCAST=A0=A0=A0 /* 0x20 can send broadcast packets */=0A=A0=0A=A0/*=0A- =
* IPv4 protocol layer specific mbuf flags.=0A+ * mbuf flag used by ip_fastf=
wd=0A=A0 */=0A=A0#define=A0=A0=A0 M_FASTFWD_OURS=A0=A0=A0 =A0=A0=A0 M_PROTO=
1=A0=A0=A0 /* changed dst to local */=0A=A0#define=A0=A0=A0 M_IP_NEXTHOP=A0=
=A0=A0 =A0=A0=A0 M_PROTO2=A0=A0=A0 /* explicit ip nexthop */=0A-#define=A0=
=A0=A0 M_SKIP_FIREWALL=A0=A0=A0 =A0=A0=A0 M_PROTO3=A0=A0=A0 /* skip firewal=
l processing,=0A-=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=
=A0 =A0=A0 keep in sync with IP6 */=0A=A0#define=A0=A0=A0 M_IP_FRAG=A0=A0=
=A0 =A0=A0=A0 M_PROTO4=A0=A0=A0 /* fragment reassembly */=0A=A0=0A=A0#ifdef=
 __NO_STRICT_ALIGNMENT=0AIndex: netinet6/ip6_var.h=0A=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A--- netinet6/ip6_var.h=A0=A0=A0 (revision =
262459)=0A+++ netinet6/ip6_var.h=A0=A0=A0 (working copy)=0A@@ -293,12 +293,=
7 @@=0A=A0#define=A0=A0=A0 IPV6_FORWARDING=A0=A0=A0 =A0=A0=A0 0x02=A0=A0=A0=
 /* most of IPv6 header exists */=0A=A0#define=A0=A0=A0 IPV6_MINMTU=A0=A0=
=A0 =A0=A0=A0 0x04=A0=A0=A0 /* use minimum MTU (IPV6_USE_MIN_MTU) */=0A=A0=
=0A-/*=0A- * IPv6 protocol layer specific mbuf flags.=0A- */=0A-#define=A0=
=A0=A0 M_IP6_NEXTHOP=A0=A0=A0 =A0=A0=A0 M_PROTO2=A0=A0=A0 /* explicit ip ne=
xthop */=0A-#define=A0=A0=A0 M_SKIP_FIREWALL=A0=A0=A0 =A0=A0=A0 M_PROTO3=A0=
=A0=A0 /* skip firewall processing,=0A-=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=
=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0 keep in sync with IPv4 */=0A+#define=A0=A0=
=A0 M_IP6_NEXTHOP=A0=A0=A0 =A0=A0=A0 M_PROTO7=A0=A0=A0 /* explicit ip nexth=
op */=0A=A0=0A=A0#ifdef __NO_STRICT_ALIGNMENT=0A=A0#define IP6_HDR_ALIGNED_=
P(ip)=A0=A0=A0 1=0AIndex: sys/mbuf.h=0A=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=0A--- sys/mbuf.h=A0=A0=A0 (revision 262459)=0A+++ sys/mbuf.=
h=A0=A0=A0 (working copy)=0A@@ -235,7 +235,7 @@=0A=A0#define=A0=A0=A0 M_PRO=
TO9=A0=A0=A0 0x00100000 /* protocol-specific */=0A=A0#define=A0=A0=A0 M_PRO=
TO10=A0=A0=A0 0x00200000 /* protocol-specific */=0A=A0#define=A0=A0=A0 M_PR=
OTO11=A0=A0=A0 0x00400000 /* protocol-specific */=0A-#define=A0=A0=A0 M_PRO=
TO12=A0=A0=A0 0x00800000 /* protocol-specific */=0A+#define=A0=A0=A0 M_SKIP=
_FIREWALL=A0=A0=A0 0x00800000=0A=A0=0A=A0/*=0A=A0 * Flags to purge when cro=
ssing layers.=0A@@ -242,13 +242,13 @@=0A=A0 */=0A=A0#define=A0=A0=A0 M_PROT=
OFLAGS \=0A=A0=A0=A0=A0 (M_PROTO1|M_PROTO2|M_PROTO3|M_PROTO4|M_PROTO5|M_PRO=
TO6|M_PROTO7|M_PROTO8|\=0A-=A0=A0=A0=A0 M_PROTO9|M_PROTO10|M_PROTO11|M_PROT=
O12)=0A+=A0=A0=A0=A0 M_PROTO9|M_PROTO10|M_PROTO11)=0A=A0=0A=A0/*=0A=A0 * Fl=
ags preserved when copying m_pkthdr.=0A=A0 */=0A=A0#define M_COPYFLAGS \=0A=
-=A0=A0=A0 (M_PKTHDR|M_EOR|M_RDONLY|M_BCAST|M_MCAST|M_VLANTAG|M_PROMISC| \=
=0A+=A0=A0=A0 (M_PKTHDR|M_EOR|M_RDONLY|M_SKIP_FIREWALL|M_BCAST|M_MCAST|M_VL=
ANTAG|M_PROMISC| \=0A=A0=A0=A0=A0=A0 M_PROTOFLAGS)=0A=A0=0A=A0/*=0A@@ -255,=
12 +255,12 @@=0A=A0 * Mbuf flag description for use with printf(9) %b ident=
ifier.=0A=A0 */=0A=A0#define=A0=A0=A0 M_FLAG_BITS \=0A-=A0=A0=A0 "\20\1M_EX=
T\2M_PKTHDR\3M_EOR\4M_RDONLY\5M_BCAST\6M_MCAST" \=0A-=A0=A0=A0 "\7M_PROMISC=
\10M_VLANTAG\11M_FLOWID"=0A+=A0=A0=A0 "\20\1M_EXT\2M_PKTHDR\3M_EOR\4M_RDONL=
Y\5M_SKIP_FIREWALL\6M_BCAST\7M_MCAST" \=0A+=A0=A0=A0 "\8M_PROMISC\10M_VLANT=
AG\11M_FLOWID"=0A=A0#define=A0=A0=A0 M_FLAG_PROTOBITS \=0A=A0=A0=A0=A0 "\15=
M_PROTO1\16M_PROTO2\17M_PROTO3\20M_PROTO4\21M_PROTO5" \=0A=A0=A0=A0=A0 "\22=
M_PROTO6\23M_PROTO7\24M_PROTO8\25M_PROTO9\26M_PROTO10" \=0A-=A0=A0=A0 "\27M=
_PROTO11\30M_PROTO12"=0A+=A0=A0=A0 "\27M_PROTO11"=0A=A0#define=A0=A0=A0 M_F=
LAG_PRINTF (M_FLAG_BITS M_FLAG_PROTOBITS)=0A=A0=0A=A0/*=0A

The problem seems to be that M_SKIP_FIREWALL (macro of M_PROTO3) is 
cleared through m_clrprotoflags(), i.e. not transferred between the 
layers.

This is a reversion of the 254519 on 10.0-STABLE:

Index: netinet/ip_var.h
===================================================================
--- netinet/ip_var.h    (revision 262459)
+++ netinet/ip_var.h    (working copy)
@@ -163,12 +163,10 @@
 #define IP_ALLOWBROADCAST    SO_BROADCAST    /* 0x20 can send broadcast packets */
 
 /*
- * IPv4 protocol layer specific mbuf flags.
+ * mbuf flag used by ip_fastfwd
  */
 #define    M_FASTFWD_OURS        M_PROTO1    /* changed dst to local */
 #define    M_IP_NEXTHOP        M_PROTO2    /* explicit ip nexthop */
-#define    M_SKIP_FIREWALL        M_PROTO3    /* skip firewall processing,
-                           keep in sync with IP6 */
 #define    M_IP_FRAG        M_PROTO4    /* fragment reassembly */
 
 #ifdef __NO_STRICT_ALIGNMENT
Index: netinet6/ip6_var.h
===================================================================
--- netinet6/ip6_var.h    (revision 262459)
+++ netinet6/ip6_var.h    (working copy)
@@ -293,12 +293,7 @@
 #define    IPV6_FORWARDING        0x02    /* most of IPv6 header exists */
 #define    IPV6_MINMTU        0x04    /* use minimum MTU (IPV6_USE_MIN_MTU) */
 
-/*
- * IPv6 protocol layer specific mbuf flags.
- */
-#define    M_IP6_NEXTHOP        M_PROTO2    /* explicit ip nexthop */
-#define    M_SKIP_FIREWALL        M_PROTO3    /* skip firewall processing,
-                           keep in sync with IPv4 */
+#define    M_IP6_NEXTHOP        M_PROTO7    /* explicit ip nexthop */
 
 #ifdef __NO_STRICT_ALIGNMENT
 #define IP6_HDR_ALIGNED_P(ip)    1
Index: sys/mbuf.h
===================================================================
--- sys/mbuf.h    (revision 262459)
+++ sys/mbuf.h    (working copy)
@@ -235,7 +235,7 @@
 #define    M_PROTO9    0x00100000 /* protocol-specific */
 #define    M_PROTO10    0x00200000 /* protocol-specific */
 #define    M_PROTO11    0x00400000 /* protocol-specific */
-#define    M_PROTO12    0x00800000 /* protocol-specific */
+#define    M_SKIP_FIREWALL    0x00800000
 
 /*
  * Flags to purge when crossing layers.
@@ -242,13 +242,13 @@
  */
 #define    M_PROTOFLAGS \
     (M_PROTO1|M_PROTO2|M_PROTO3|M_PROTO4|M_PROTO5|M_PROTO6|M_PROTO7|M_PROTO8|\
-     M_PROTO9|M_PROTO10|M_PROTO11|M_PROTO12)
+     M_PROTO9|M_PROTO10|M_PROTO11)

  /*
  * Flags preserved when copying m_pkthdr.
  */
 #define M_COPYFLAGS \
-    (M_PKTHDR|M_EOR|M_RDONLY|M_BCAST|M_MCAST|M_VLANTAG|M_PROMISC| \
+    (M_PKTHDR|M_EOR|M_RDONLY|M_SKIP_FIREWALL|M_BCAST|M_MCAST|M_VLANTAG|M_PROMISC| \
      M_PROTOFLAGS)
 /*
@@ -255,12 +255,12 @@
  * Mbuf flag description for use with printf(9) %b identifier.
  */
 #define    M_FLAG_BITS \
-    "\20\1M_EXT\2M_PKTHDR\3M_EOR\4M_RDONLY\5M_BCAST\6M_MCAST" \
-    "\7M_PROMISC\10M_VLANTAG\11M_FLOWID"
+    "\20\1M_EXT\2M_PKTHDR\3M_EOR\4M_RDONLY\5M_SKIP_FIREWALL\6M_BCAST\7M_MCAST" \
+    "\8M_PROMISC\10M_VLANTAG\11M_FLOWID"
 #define    M_FLAG_PROTOBITS \
     "\15M_PROTO1\16M_PROTO2\17M_PROTO3\20M_PROTO4\21M_PROTO5" \
     "\22M_PROTO6\23M_PROTO7\24M_PROTO8\25M_PROTO9\26M_PROTO10" \
-    "\27M_PROTO11\30M_PROTO12"
+    "\27M_PROTO11"
 #define    M_FLAG_PRINTF (M_FLAG_BITS M_FLAG_PROTOBITS)
 
 /*

Another series of testing. In r254519, when the "#define M_SKIP_FIREWALL M_PROTO3" is replaced with "#define M_SKIP_FIREWALL M_PROTO12" the problem disappears. It seems to be a bug related to the definition of M_PROTO3.

It is not related to m_clrprotoflags().

The culprit is the "#define M_DECRYPTED M_PROTO3" in "netinet6/in6.h" (that is regardless of whether or not INET6 has been set). It gets mixed up (netipsec includes in.h, in.h includes in6.h) and so when the M_DECRYPTED flag is set, M_SKIP_FIREWALL flag is also set. 

The following patch resolves it (it has to be tested thoroughly).

Index: netipsec/xform_ipip.c
===================================================================
--- netipsec/xform_ipip.c       (revision 262492)
+++ netipsec/xform_ipip.c       (working copy)
@@ -181,6 +181,7 @@
        IPIPSTAT_INC(ipips_ipackets);

        m_copydata(m, 0, 1, &v);
+       m_clrprotoflags(m);

        switch (v >> 4) {
 #ifdef INET

> Index: netipsec/xform_ipip.c
> ===================================================================
> --- netipsec/xform_ipip.c       (revision 262492)
> +++ netipsec/xform_ipip.c       (working copy)
> @@ -181,6 +181,7 @@
>         IPIPSTAT_INC(ipips_ipackets);
>
>         m_copydata(m, 0, 1, &v);
> +       m_clrprotoflags(m);
>
>         switch (v >> 4) {
>  #ifdef INET

That one does not resolve it correctly, i.e. not all ipsec packets are
captured. Furthermore, the captured packets have both directions, in and
out (as captured by: allow ip from any to any in, allow ip from any to any
out)

On Tue, 2014-02-25 at 23:24 +0100, Georgios Amanakis wrote: 
> > Index: netipsec/xform_ipip.c
> > ===================================================================
> > --- netipsec/xform_ipip.c       (revision 262492)
> > +++ netipsec/xform_ipip.c       (working copy)
> > @@ -181,6 +181,7 @@
> >         IPIPSTAT_INC(ipips_ipackets);
> >  
> >         m_copydata(m, 0, 1, &v);
> > +       m_clrprotoflags(m);
> >  
> >         switch (v >> 4) {
> >  #ifdef INET
> 
> 
> That one does not resolve it correctly, i.e. not all ipsec packets are
> captured. Furthermore, the captured packets have both directions, in
> and out (as captured by: allow ip from any to any in, allow ip from
> any to any out)

Did you test with IPsec as transport mode or as tunnel mode ? 
-- 
Nicolas DEFFAYET

The following patch seem to be the only working workaround for IPsec
transport mode and tunnel mode. Please note the use of M_PROTO7 instead
of M_PROTO5 as that is not used in netinet & netinet6. M_PROTO5 is used
for another purpose and so using it may create a conflict like M_PROTO3.

---
Index: netinet/ip_var.h
===================================================================
--- netinet/ip_var.h    (revision 262470)
+++ netinet/ip_var.h    (working copy)
@@ -167,7 +167,7 @@
  */
#define        M_FASTFWD_OURS          M_PROTO1        /* changed dst to
local */
#define        M_IP_NEXTHOP            M_PROTO2        /* explicit ip
nexthop */
-#define        M_SKIP_FIREWALL         M_PROTO3        /* skip firewall
processing,
+#define        M_SKIP_FIREWALL         M_PROTO7        /* skip firewall
processing,
                                                   keep in sync with IP6
*/
#define        M_IP_FRAG               M_PROTO4        /* fragment
reassembly */

Index: netinet6/ip6_var.h
===================================================================
--- netinet6/ip6_var.h  (revision 262470)
+++ netinet6/ip6_var.h  (working copy)
@@ -297,7 +297,7 @@
  * IPv6 protocol layer specific mbuf flags.
  */
#define        M_IP6_NEXTHOP           M_PROTO2        /* explicit ip
nexthop */
-#define        M_SKIP_FIREWALL         M_PROTO3        /* skip firewall
processing,
+#define        M_SKIP_FIREWALL         M_PROTO7        /* skip firewall
processing,
                                                   keep in sync with
IPv4 */

#ifdef __NO_STRICT_ALIGNMENT
---


-- 
Nicolas DEFFAYET

Hey,

First off all, thanks for the patch, should we wait for FreeBSD 10.1, use 10.0/stable or patch it our selves?

Or is this going to be issued as Errata patch for FreeBSD 10.0-Release? (which I think it should be)

Kind Regards,
Robert Sevat


> Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating ipsec. example l2tp/ipsec
> From: nicolas@deffayet.com
> To: gamanakis@gmail.com
> Date: Fri, 28 Feb 2014 23:36:44 +0100
> CC: andre@freebsd.org; melifaro@freebsd.org; a.v.volobuev@gmail.com; freebsd-bugs@freebsd.org; bug-followup@freebsd.org
> 
> The following patch seem to be the only working workaround for IPsec
> transport mode and tunnel mode. Please note the use of M_PROTO7 instead
> of M_PROTO5 as that is not used in netinet & netinet6. M_PROTO5 is used
> for another purpose and so using it may create a conflict like M_PROTO3.
> 
> ---
> Index: netinet/ip_var.h
> ===================================================================
> --- netinet/ip_var.h    (revision 262470)
> +++ netinet/ip_var.h    (working copy)
> @@ -167,7 +167,7 @@
>   */
> #define        M_FASTFWD_OURS          M_PROTO1        /* changed dst to
> local */
> #define        M_IP_NEXTHOP            M_PROTO2        /* explicit ip
> nexthop */
> -#define        M_SKIP_FIREWALL         M_PROTO3        /* skip firewall
> processing,
> +#define        M_SKIP_FIREWALL         M_PROTO7        /* skip firewall
> processing,
>                                                    keep in sync with IP6
> */
> #define        M_IP_FRAG               M_PROTO4        /* fragment
> reassembly */
> 
> Index: netinet6/ip6_var.h
> ===================================================================
> --- netinet6/ip6_var.h  (revision 262470)
> +++ netinet6/ip6_var.h  (working copy)
> @@ -297,7 +297,7 @@
>   * IPv6 protocol layer specific mbuf flags.
>   */
> #define        M_IP6_NEXTHOP           M_PROTO2        /* explicit ip
> nexthop */
> -#define        M_SKIP_FIREWALL         M_PROTO3        /* skip firewall
> processing,
> +#define        M_SKIP_FIREWALL         M_PROTO7        /* skip firewall
> processing,
>                                                    keep in sync with
> IPv4 */
> 
> #ifdef __NO_STRICT_ALIGNMENT
> ---
> 
> 
> -- 
> Nicolas DEFFAYET
> 
> _______________________________________________
> freebsd-bugs@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
> To unsubscribe, send any mail to "freebsd-bugs-unsubscribe@freebsd.org"

 		 	   		  =

Glebius is working on a patch. I hope it will be commited soon to stable.


On Tue, Mar 11, 2014 at 7:57 PM, Robert Sevat <robert.sevat@live.nl> wrote:

> Hey,
>
> First off all, thanks for the patch, should we wait for FreeBSD 10.1, use
> 10.0/stable or patch it our selves?
>
> Or is this going to be issued as Errata patch for FreeBSD 10.0-Release?
> (which I think it should be)
>
> Kind Regards,
> Robert Sevat
>
>
> > Subject: Re: kern/185876: ipfw not matching incoming packets
> decapsulating ipsec. example l2tp/ipsec
> > From: nicolas@deffayet.com
> > To: gamanakis@gmail.com
> > Date: Fri, 28 Feb 2014 23:36:44 +0100
> > CC: andre@freebsd.org; melifaro@freebsd.org; a.v.volobuev@gmail.com;
> freebsd-bugs@freebsd.org; bug-followup@freebsd.org
>
> >
> > The following patch seem to be the only working workaround for IPsec
> > transport mode and tunnel mode. Please note the use of M_PROTO7 instead
> > of M_PROTO5 as that is not used in netinet & netinet6. M_PROTO5 is used
> > for another purpose and so using it may create a conflict like M_PROTO3.
> >
> > ---
> > Index: netinet/ip_var.h
> > ===================================================================
> > --- netinet/ip_var.h (revision 262470)
> > +++ netinet/ip_var.h (working copy)
> > @@ -167,7 +167,7 @@
> > */
> > #define M_FASTFWD_OURS M_PROTO1 /* changed dst to
> > local */
> > #define M_IP_NEXTHOP M_PROTO2 /* explicit ip
> > nexthop */
> > -#define M_SKIP_FIREWALL M_PROTO3 /* skip firewall
> > processing,
> > +#define M_SKIP_FIREWALL M_PROTO7 /* skip firewall
> > processing,
> > keep in sync with IP6
> > */
> > #define M_IP_FRAG M_PROTO4 /* fragment
> > reassembly */
> >
> > Index: netinet6/ip6_var.h
> > ===================================================================
> > --- netinet6/ip6_var.h (revision 262470)
> > +++ netinet6/ip6_var.h (working copy)
> > @@ -297,7 +297,7 @@
> > * IPv6 protocol layer specific mbuf flags.
> > */
> > #define M_IP6_NEXTHOP M_PROTO2 /* explicit ip
> > nexthop */
> > -#define M_SKIP_FIREWALL M_PROTO3 /* skip firewall
> > processing,
> > +#define M_SKIP_FIREWALL M_PROTO7 /* skip firewall
> > processing,
> > keep in sync with
> > IPv4 */
> >
> > #ifdef __NO_STRICT_ALIGNMENT
> > ---
> >
> >
> > --
> > Nicolas DEFFAYET
> >
> > _______________________________________________
> > freebsd-bugs@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
> > To unsubscribe, send any mail to "freebsd-bugs-unsubscribe@freebsd.org"
>

Comment 20 dfilter service 2014-03-12 14:29:23 UTC

Author: glebius
Date: Wed Mar 12 14:29:08 2014
New Revision: 263091
URL: http://svnweb.freebsd.org/changeset/base/263091

Log:
  Since both netinet/ and netinet6/ call into netipsec/ and netpfil/,
  the protocol specific mbuf flags are shared between them.
  
  - Move all M_FOO definitions into a single place: netinet/in6.h, to
    avoid future  clashes.
  - Resolve clash between M_DECRYPTED and M_SKIP_FIREWALL which resulted
    in a failure of operation of IPSEC and packet filters.
  
  Thanks to Nicolas and Georgios for all the hard work on bisecting,
  testing and finally finding the root of the problem.
  
  PR:			kern/186755
  PR:			kern/185876
  In collaboration with:	Georgios Amanakis <gamanakis gmail.com>
  In collaboration with:	Nicolas DEFFAYET <nicolas-ml deffayet.com>
  Sponsored by:		Nginx, Inc.

Modified:
  head/sys/netinet/ip_input.c
  head/sys/netinet/ip_var.h
  head/sys/netinet6/in6.h
  head/sys/netinet6/ip6_var.h

Modified: head/sys/netinet/ip_input.c
==============================================================================
--- head/sys/netinet/ip_input.c	Wed Mar 12 12:27:13 2014	(r263090)
+++ head/sys/netinet/ip_input.c	Wed Mar 12 14:29:08 2014	(r263091)
@@ -702,6 +702,7 @@ ours:
 	 * ip_reass() will return a different mbuf.
 	 */
 	if (ip->ip_off & htons(IP_MF | IP_OFFMASK)) {
+		/* XXXGL: shouldn't we save & set m_flags? */
 		m = ip_reass(m);
 		if (m == NULL)
 			return;
@@ -794,6 +795,8 @@ SYSCTL_PROC(_net_inet_ip, OID_AUTO, maxf
     NULL, 0, sysctl_maxnipq, "I",
     "Maximum number of IPv4 fragment reassembly queue entries");
 
+#define	M_IP_FRAG	M_PROTO9
+
 /*
  * Take incoming datagram fragment and try to reassemble it into
  * whole datagram.  If the argument is the first fragment or one

Modified: head/sys/netinet/ip_var.h
==============================================================================
--- head/sys/netinet/ip_var.h	Wed Mar 12 12:27:13 2014	(r263090)
+++ head/sys/netinet/ip_var.h	Wed Mar 12 14:29:08 2014	(r263091)
@@ -162,15 +162,6 @@ void	kmod_ipstat_dec(int statnum);
 #define IP_ROUTETOIF		SO_DONTROUTE	/* 0x10 bypass routing tables */
 #define IP_ALLOWBROADCAST	SO_BROADCAST	/* 0x20 can send broadcast packets */
 
-/*
- * IPv4 protocol layer specific mbuf flags.
- */
-#define	M_FASTFWD_OURS		M_PROTO1	/* changed dst to local */
-#define	M_IP_NEXTHOP		M_PROTO2	/* explicit ip nexthop */
-#define	M_SKIP_FIREWALL		M_PROTO3	/* skip firewall processing,
-						   keep in sync with IP6 */
-#define	M_IP_FRAG		M_PROTO4	/* fragment reassembly */
-
 #ifdef __NO_STRICT_ALIGNMENT
 #define IP_HDR_ALIGNED_P(ip)	1
 #else

Modified: head/sys/netinet6/in6.h
==============================================================================
--- head/sys/netinet6/in6.h	Wed Mar 12 12:27:13 2014	(r263090)
+++ head/sys/netinet6/in6.h	Wed Mar 12 14:29:08 2014	(r263091)
@@ -622,13 +622,18 @@ struct ip6_mtuinfo {
 #endif /* __BSD_VISIBLE */
 
 /*
- * Redefinition of mbuf flags
+ * Since both netinet/ and netinet6/ call into netipsec/ and netpfil/,
+ * the protocol specific mbuf flags are shared between them.
  */
-#define	M_AUTHIPHDR	M_PROTO2
-#define	M_DECRYPTED	M_PROTO3
-#define	M_LOOP		M_PROTO4
-#define	M_AUTHIPDGM	M_PROTO5
-#define	M_RTALERT_MLD	M_PROTO6
+#define	M_FASTFWD_OURS		M_PROTO1	/* changed dst to local */
+#define	M_IP6_NEXTHOP		M_PROTO2	/* explicit ip nexthop */
+#define	M_IP_NEXTHOP		M_PROTO2	/* explicit ip nexthop */
+#define	M_SKIP_FIREWALL		M_PROTO3	/* skip firewall processing */
+#define	M_AUTHIPHDR		M_PROTO4
+#define	M_DECRYPTED		M_PROTO5
+#define	M_LOOP			M_PROTO6
+#define	M_AUTHIPDGM		M_PROTO7
+#define	M_RTALERT_MLD		M_PROTO8
 
 #ifdef _KERNEL
 struct cmsghdr;

Modified: head/sys/netinet6/ip6_var.h
==============================================================================
--- head/sys/netinet6/ip6_var.h	Wed Mar 12 12:27:13 2014	(r263090)
+++ head/sys/netinet6/ip6_var.h	Wed Mar 12 14:29:08 2014	(r263091)
@@ -293,13 +293,6 @@ struct ip6aux {
 #define	IPV6_FORWARDING		0x02	/* most of IPv6 header exists */
 #define	IPV6_MINMTU		0x04	/* use minimum MTU (IPV6_USE_MIN_MTU) */
 
-/*
- * IPv6 protocol layer specific mbuf flags.
- */
-#define	M_IP6_NEXTHOP		M_PROTO2	/* explicit ip nexthop */
-#define	M_SKIP_FIREWALL		M_PROTO3	/* skip firewall processing,
-						   keep in sync with IPv4 */
-
 #ifdef __NO_STRICT_ALIGNMENT
 #define IP6_HDR_ALIGNED_P(ip)	1
 #else
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"

Comment 21 Gleb Smirnoff 2014-03-12 14:30:07 UTC

State Changed
From-To: open->patched

Fixed in head/. 

Comment 22 Gleb Smirnoff 2014-03-12 14:30:07 UTC

Responsible Changed
From-To: melifaro->glebius

Fixed in head/.

Comment 23 dfilter service 2014-03-18 16:56:15 UTC

Author: glebius
Date: Tue Mar 18 16:56:05 2014
New Revision: 263307
URL: http://svnweb.freebsd.org/changeset/base/263307

Log:
  Merge r263091: fix mbuf flags clash that lead to failure of operation
  of IPSEC and packet filters.
  
  PR:		kern/185876
  PR:		kern/186755

Modified:
  stable/10/sys/netinet/ip_input.c
  stable/10/sys/netinet/ip_var.h
  stable/10/sys/netinet6/in6.h
  stable/10/sys/netinet6/ip6_var.h
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/netinet/ip_input.c
==============================================================================
--- stable/10/sys/netinet/ip_input.c	Tue Mar 18 16:41:32 2014	(r263306)
+++ stable/10/sys/netinet/ip_input.c	Tue Mar 18 16:56:05 2014	(r263307)
@@ -707,6 +707,7 @@ ours:
 	 * ip_reass() will return a different mbuf.
 	 */
 	if (ip->ip_off & htons(IP_MF | IP_OFFMASK)) {
+		/* XXXGL: shouldn't we save & set m_flags? */
 		m = ip_reass(m);
 		if (m == NULL)
 			return;
@@ -799,6 +800,8 @@ SYSCTL_PROC(_net_inet_ip, OID_AUTO, maxf
     NULL, 0, sysctl_maxnipq, "I",
     "Maximum number of IPv4 fragment reassembly queue entries");
 
+#define	M_IP_FRAG	M_PROTO9
+
 /*
  * Take incoming datagram fragment and try to reassemble it into
  * whole datagram.  If the argument is the first fragment or one

Modified: stable/10/sys/netinet/ip_var.h
==============================================================================
--- stable/10/sys/netinet/ip_var.h	Tue Mar 18 16:41:32 2014	(r263306)
+++ stable/10/sys/netinet/ip_var.h	Tue Mar 18 16:56:05 2014	(r263307)
@@ -162,15 +162,6 @@ void	kmod_ipstat_dec(int statnum);
 #define IP_ROUTETOIF		SO_DONTROUTE	/* 0x10 bypass routing tables */
 #define IP_ALLOWBROADCAST	SO_BROADCAST	/* 0x20 can send broadcast packets */
 
-/*
- * IPv4 protocol layer specific mbuf flags.
- */
-#define	M_FASTFWD_OURS		M_PROTO1	/* changed dst to local */
-#define	M_IP_NEXTHOP		M_PROTO2	/* explicit ip nexthop */
-#define	M_SKIP_FIREWALL		M_PROTO3	/* skip firewall processing,
-						   keep in sync with IP6 */
-#define	M_IP_FRAG		M_PROTO4	/* fragment reassembly */
-
 #ifdef __NO_STRICT_ALIGNMENT
 #define IP_HDR_ALIGNED_P(ip)	1
 #else

Modified: stable/10/sys/netinet6/in6.h
==============================================================================
--- stable/10/sys/netinet6/in6.h	Tue Mar 18 16:41:32 2014	(r263306)
+++ stable/10/sys/netinet6/in6.h	Tue Mar 18 16:56:05 2014	(r263307)
@@ -622,13 +622,18 @@ struct ip6_mtuinfo {
 #endif /* __BSD_VISIBLE */
 
 /*
- * Redefinition of mbuf flags
+ * Since both netinet/ and netinet6/ call into netipsec/ and netpfil/,
+ * the protocol specific mbuf flags are shared between them.
  */
-#define	M_AUTHIPHDR	M_PROTO2
-#define	M_DECRYPTED	M_PROTO3
-#define	M_LOOP		M_PROTO4
-#define	M_AUTHIPDGM	M_PROTO5
-#define	M_RTALERT_MLD	M_PROTO6
+#define	M_FASTFWD_OURS		M_PROTO1	/* changed dst to local */
+#define	M_IP6_NEXTHOP		M_PROTO2	/* explicit ip nexthop */
+#define	M_IP_NEXTHOP		M_PROTO2	/* explicit ip nexthop */
+#define	M_SKIP_FIREWALL		M_PROTO3	/* skip firewall processing */
+#define	M_AUTHIPHDR		M_PROTO4
+#define	M_DECRYPTED		M_PROTO5
+#define	M_LOOP			M_PROTO6
+#define	M_AUTHIPDGM		M_PROTO7
+#define	M_RTALERT_MLD		M_PROTO8
 
 #ifdef _KERNEL
 struct cmsghdr;

Modified: stable/10/sys/netinet6/ip6_var.h
==============================================================================
--- stable/10/sys/netinet6/ip6_var.h	Tue Mar 18 16:41:32 2014	(r263306)
+++ stable/10/sys/netinet6/ip6_var.h	Tue Mar 18 16:56:05 2014	(r263307)
@@ -293,13 +293,6 @@ struct ip6aux {
 #define	IPV6_FORWARDING		0x02	/* most of IPv6 header exists */
 #define	IPV6_MINMTU		0x04	/* use minimum MTU (IPV6_USE_MIN_MTU) */
 
-/*
- * IPv6 protocol layer specific mbuf flags.
- */
-#define	M_IP6_NEXTHOP		M_PROTO2	/* explicit ip nexthop */
-#define	M_SKIP_FIREWALL		M_PROTO3	/* skip firewall processing,
-						   keep in sync with IPv4 */
-
 #ifdef __NO_STRICT_ALIGNMENT
 #define IP6_HDR_ALIGNED_P(ip)	1
 #else
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"

Comment 24 Gleb Smirnoff 2014-03-18 16:56:31 UTC

State Changed
From-To: patched->closed

Merged to stable/10.