bin/107392: [patch] setkey does not recognize esp as protocol name for spdadd

Eugene Grosbein eugen at grosbein.pp.ru
Mon Jan 1 00:20:15 PST 2007 

>Number:         107392
>Category:       bin
>Synopsis:       [patch] setkey does not recognize esp as protocol name for spdadd
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 01 08:20:13 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Eugene Grosbein
>Release:        FreeBSD 6.1-STABLE i386
>Organization:
Svyaz Service JSC
>Environment:
System: FreeBSD nkz.delikates-nk.ru 6.1-STABLE FreeBSD 6.1-STABLE #1: Thu Sep 7 13:31:53 KRAST 2006 root at nkz.delikates-nk.ru:/home/obj/home/src/sys/NKZ i386

>Description:
	This PR is very similar to bin/63616 and the fix
	is nearly identical. The following spdadd line cannot be
	parsed by setkey(8) currently:

spdadd 1.1.1.1/32 2.2.2.2/32 esp -P out none;

	However, such functionality is required as workaround
	for a kernel desing problem: if outgoing packet encrypted with IPSEC
	is passed to the TCP/IP stack second time with IPDIVERT
	of DUMMYNET (when net.inet.ip.fw.one_pass=0), it may be
	encrypted with IPSEC second time that breaks PMTUD.
	See kern/103135 for details.

	The spdadd line shown above prevents IPSEC from this logic error
	and presents a workaround. But setkey does not parse this.

>How-To-Repeat:

	Try to process spdadd shown above with setkey(8).

>Fix:

	This patch is very like parse.y,1.5 that fixed the same issue for tcp.
	parse.y is located in sbin/setkey/ for recent versions
	and the same file is in usr.sbin/setkey/ for RELENG_4.

--- parse.y.orig	Mon Jan  1 14:31:55 2007
+++ parse.y	Mon Jan  1 14:32:04 2007
@@ -683,6 +683,7 @@
 	:	DECSTRING { $$ = $1; }
 	|	ANY { $$ = IPSEC_ULPROTO_ANY; }
 	|	PR_TCP { $$ = IPPROTO_TCP; }
+	|	PR_ESP { $$ = IPPROTO_ESP; }
 	|	STRING
 		{
 			struct protoent *ent;


	I'd be glad to see this trivial patch backported
	to RELENG_5 and RELENG_4 :-)

Eugene Grosbein
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list