kern/54874: ip6fw does not handle ESP correctly

Jinmei Tatuya jinmei at
Fri Jul 25 15:50:18 PDT 2003

>Number:         54874
>Category:       kern
>Synopsis:       ip6fw does not handle ESP correctly
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jul 25 15:50:14 PDT 2003
>Originator:     JINMEI Tatuya
>Release:        FreeBSD 4.8-RELEASE i386
Toshiba Corporation
System: FreeBSD 4.8-RELEASE FreeBSD 4.8-RELEASE #0: Thu Jun 26 13:24:02 JST 2003 jinmei at i386


ip6fw does not recognize ESP packets correctly when the packets are specified
as protocol 50 (or "ESP") by the ip6fw command.  For example, even if the
following line is installed:

add	pass	esp	from any to any

The kernel does not apply this rule to IPv6 ESP packets.  Instead, we need
to specify like this:

add pass all from any to any ipv6options esp

I don't think this is intentional.


See above.

I believe the following patch should be applied.  Apparently the current code
will also need the same fix.

Index: ip6_fw.c
RCS file: /home/ncvs/src/sys/netinet6/ip6_fw.c,v
retrieving revision
diff -u -r1.2.2.9 ip6_fw.c
--- ip6_fw.c	28 Apr 2002 05:40:27 -0000
+++ ip6_fw.c	25 Jul 2003 22:49:39 -0000
@@ -288,6 +288,7 @@
 			case IPPROTO_ESP:
 				opts &= ~IPV6_FW_IP6OPT_ESP;
 				nopts &= ~IPV6_FW_IP6OPT_ESP;
+				goto opts_check;
 			case IPPROTO_NONE:
 				opts &= ~IPV6_FW_IP6OPT_NONXT;

More information about the freebsd-bugs mailing list