The patch applied at 4 Jul 2003 [1] from http://www.freebsd.org/cgi/query-pr.cgi?pr=53624 will not work in current and might never have worked the way it should and is documented. The problem is that #ifdef IPSEC in sys/netinet/ip_fw2.c will never match because opt_ipsec.h is never included. Further more because only the check in the verify path (ipfw_chk) is #ifdef'ed and not the path where the rules get checked before insertion (check_ipfw_struct) __there will be no complaints when adding a rule with ipsec option__ ! [1] http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_fw2.c.diff?r1=1.33&r2=1.34 Fix: this patch has been verified to make O_IPSEC work for me with IPSEC; it has not been verified to work with FAST_IPSEC. additionaly one may also add s.th. like #if defined(IPSEC) || defined(FAST_IPSEC) for O_IPSEC in check_ipfw_struct(). How-To-Repeat: add a rule that should match all traffic with ipsec history with log option at appropriate place in your ruleset; s.th. like: ipfw add ... log ip from any to any ipsec there will be no match logged; alternatively you may simply grep for ipsec_gethist in ip_fw2.o; this also will not find a match though it should be in there.
Adding to audit log from misfiled PR 58910: Ari Suutari <ari.suutari@syncrontech.com> wrote: Wow ! The initial patch I submitted must have been incomplete somehow, because I really tested this thing on -current. The reason might be that the first patch didn't include #ifdef IPSEC at all. Then someone (maybe me on another machine...) who tested it complained about kernel not compiling without IPSEC - and I added the #ifdef IPSEC without testing it 'since it was such a small change'. Please someone, commit the suggested patch. Also, if these changes have gone to 4.9, it might be good to include this fix for RELENG_4_9 since it is security related. Ari S. [guess it's too late for that last part -- mcl]
Responsible Changed From-To: freebsd-bugs->luigi Assign to ipfw author
Hi, I am currently using this patch on IPSec systems and verified it works for me. I think it really should be commited before 5.2. remarks: yet I have not been able test it on a non-ipsec or fast_ipsec system and there is an offset in the patch due to another one I am using. --- ipsec-test/sys/netinet/ip_fw2.c.orig Tue Nov 4 18:08:00 2003 +++ ipsec-test/sys/netinet/ip_fw2.c Tue Nov 4 18:17:18 2003 @@ -37,6 +37,7 @@ #include "opt_ipdn.h" #include "opt_ipdivert.h" #include "opt_inet.h" +#include "opt_ipsec.h" #ifndef INET #error IPFIREWALL requires INET. #endif /* INET */ @@ -2509,7 +2510,9 @@ case O_TCPOPTS: case O_ESTAB: case O_VERREVPATH: +#if defined(IPSEC) || defined(FAST_IPSEC) case O_IPSEC: +#endif if (cmdlen != F_INSN_SIZE(ipfw_insn)) goto bad_size; break; -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/
>Submitter-Id: current-users >Originator: Bjoern A. Zeeb >Organization: Zabbadoz.NeT >Confidential: no >Synopsis: Re: kern/58899: [fix] ipfw2 ipsec history option not working >Severity: critical >Priority: high >Category: kern >Class: sw-bug >Release: 5.1-CURRENT i386 >Environment: FreeBSD noc.int.zabbadoz.net 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Sat Sep 20 22:19:04 UTC 2003 bz@noc.int.zabbadoz.net:/export/src/src/obj/export/src/src/HEAD/compile-20030920-2028/sys/ZAB2-2003092001 i386 >Fix: A patch for the missing include has been committed and man page has been updated to reflect the changes that ipsec option will be ignored if no ipsec is support compiled into kernel. Thus I consider the second half (#ifdef) of may last patch unneeded. Please close this PR.
State Changed From-To: open->closed change to add the needed #include was committted; the other issue is still up for discussion but should probably be tracked separately