Subject: Re: kern/29560: latest ipfilter does not allow certain IPSEC related traffic through
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Christos Zoulas <christos@zoulas.com>
List: netbsd-bugs
Date: 02/28/2005 21:47:01
The following reply was made to PR kern/29560; it has been noted by GNATS.
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@netbsd.org, kern-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc:
Subject: Re: kern/29560: latest ipfilter does not allow certain IPSEC related traffic through
Date: Mon, 28 Feb 2005 16:46:50 -0500
On Feb 28, 8:04pm, arto@selonen.org (arto@selonen.org) wrote:
-- Subject: kern/29560: latest ipfilter does not allow certain IPSEC related
Does this fix the problem?
christos
Index: fil.c
===================================================================
RCS file: /cvsroot/src/sys/dist/ipf/netinet/fil.c,v
retrieving revision 1.9
diff -u -u -r1.9 fil.c
--- fil.c 19 Feb 2005 21:30:25 -0000 1.9
+++ fil.c 28 Feb 2005 21:42:19 -0000
@@ -2090,11 +2090,20 @@
if (fr_addstate(fin, NULL, 0) != NULL) {
ATOMIC_INCL(frstats[out].fr_ads);
} else {
+#ifdef notdef
+ /*
+ * This blocks ICMP ECHOREPLY. fr_addstate returning
+ * NULL is not necessary a bad thing because there
+ * is no state to be added on some packets, eg.
+ * icmp reply packets. XXX: but for others this
+ * is wrong.
+ */
ATOMIC_INCL(frstats[out].fr_bads);
if (FR_ISPASS(pass)) {
pass &= ~FR_CMDMASK;
pass |= FR_BLOCK;
}
+#endif
}
}