netbsd-bugs: Re: kern/29560: latest ipfilter does not allow certain IPSEC related traffic through

Subject: Re: kern/29560: latest ipfilter does not allow certain IPSEC related traffic through
To: None <gnats-bugs@netbsd.org, kern-bug-people@netbsd.org,>
From: Christos Zoulas <christos@zoulas.com>
List: netbsd-bugs
Date: 02/28/2005 16:46:50

On Feb 28,  8:04pm, arto@selonen.org (arto@selonen.org) wrote:
-- Subject: kern/29560: latest ipfilter does not allow certain IPSEC related 

Does this fix the problem?

christos

Index: fil.c
===================================================================
RCS file: /cvsroot/src/sys/dist/ipf/netinet/fil.c,v
retrieving revision 1.9
diff -u -u -r1.9 fil.c
--- fil.c	19 Feb 2005 21:30:25 -0000	1.9
+++ fil.c	28 Feb 2005 21:42:19 -0000
@@ -2090,11 +2090,20 @@
 		if (fr_addstate(fin, NULL, 0) != NULL) {
 			ATOMIC_INCL(frstats[out].fr_ads);
 		} else {
+#ifdef notdef
+			/*
+			 * This blocks ICMP ECHOREPLY. fr_addstate returning
+			 * NULL is not necessary a bad thing because there
+			 * is no state to be added on some packets, eg.
+			 * icmp reply packets. XXX: but for others this
+			 * is wrong.
+			 */
 			ATOMIC_INCL(frstats[out].fr_bads);
 			if (FR_ISPASS(pass)) {
 				pass &= ~FR_CMDMASK;
 				pass |= FR_BLOCK;
 			}
+#endif
 		}
 	}