From ler@lerlaptop-red.iadfw.net Mon Mar 1 13:20:04 2004 Return-Path: Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B09D16A4CF for ; Mon, 1 Mar 2004 13:20:04 -0800 (PST) Received: from lerlaptop-red.iadfw.net (lerlaptop-red.iadfw.net [207.136.3.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1078143D53 for ; Mon, 1 Mar 2004 13:20:04 -0800 (PST) (envelope-from ler@lerlaptop-red.iadfw.net) Received: from lerlaptop-red.iadfw.net (localhost [127.0.0.1]) by lerlaptop-red.iadfw.net (8.12.11/8.12.10) with ESMTP id i21LK309000964 for ; Mon, 1 Mar 2004 15:20:03 -0600 (CST) (envelope-from ler@lerlaptop-red.iadfw.net) Received: (from ler@localhost) by lerlaptop-red.iadfw.net (8.12.11/8.12.10/Submit) id i21LK3lM000959; Mon, 1 Mar 2004 15:20:03 -0600 (CST) (envelope-from ler) Message-Id: <200403012120.i21LK3lM000959@lerlaptop-red.iadfw.net> Date: Mon, 1 Mar 2004 15:20:03 -0600 (CST) From: Larry Rosenman Reply-To: Larry Rosenman To: FreeBSD-gnats-submit@freebsd.org Cc: Subject: setkey no longer recognizes tcp in an spdadd line X-Send-Pr-Version: 3.113 X-GNATS-Notify: >Number: 63616 >Category: bin >Synopsis: setkey no longer recognizes tcp in an spdadd line >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Mar 01 13:20:11 PST 2004 >Closed-Date: Tue Apr 06 03:02:34 PDT 2004 >Last-Modified: Tue Apr 06 03:02:34 PDT 2004 >Originator: Larry Rosenman >Release: FreeBSD 5.2-CURRENT i386 >Organization: LERCTR Consulting >Environment: System: FreeBSD lerlaptop-red.iadfw.net 5.2-CURRENT FreeBSD 5.2-CURRENT #96: Mon Mar 1 12:13:00 CST 2004 ler@lerlaptop-red.iadfw.net:/usr/obj/usr/src/sys/LERLAPTOP i386 >Description: I have the following /etc/ipsec.conf: spdflush; #spdadd 207.158.72.14[any] 207.158.72.11[53] udp -P out none; #spdadd 207.158.72.14[any] 192.147.25.11[53] udp -P out none; #spdadd 207.158.72.11[53] 207.158.72.14[any] udp -P in none; #spdadd 192.147.25.11[53] 207.158.72.14[any] udp -P in none; #spdadd 207.158.72.14[any] 207.158.72.45[53] udp -P out none; #spdadd 207.158.72.14[any] 192.147.25.45[53] udp -P out none; #spdadd 207.158.72.45[53] 207.158.72.14[any] udp -P in none; #spdadd 192.147.25.45[53] 207.158.72.14[any] udp -P in none; #spdadd 207.158.72.14[any] 207.159.72.11[500] any -P out ipsec # esp/transport//use; #spdadd 207.158.72.14[any] 192.147.25.11[500] any -P out ipsec # esp/transport//use; #spdadd 207.158.72.11[500] 207.158.72.14[any] any -P in ipsec # esp/transport//use; #spdadd 192.147.25.11[500] 207.158.72.14[any] any -P in ipsec # esp/transport//use; #spdadd 207.158.72.14[any] 207.159.72.45[500] any -P out ipsec # esp/transport//use; #spdadd 207.158.72.14[any] 192.147.25.45[500] any -P out ipsec # esp/transport//use; #spdadd 207.158.72.45[500] 207.158.72.14[any] any -P in ipsec # esp/transport//use; #spdadd 192.147.25.45[500] 207.158.72.14[any] any -P in ipsec # esp/transport//use; spdadd 207.158.72.14[any] 207.158.72.11[any] tcp -P out ipsec esp/transport//require ; spdadd 207.158.72.14[any] 192.147.25.11[any] tcp -P out ipsec esp/transport//require ; spdadd 207.158.72.11[any] 207.158.72.14[any] tcp -P in ipsec esp/transport//require ; spdadd 192.147.25.11[any] 207.158.72.14[any] tcp -P in ipsec esp/transport//require ; #spdadd 207.158.72.14[any] 207.158.72.45[any] any -P out ipsec # esp/transport//require ; #spdadd 207.158.72.14[any] 192.147.25.45[any] any -P out ipsec # esp/transport//require ; #spdadd 207.158.72.45[any] 207.158.72.14[any] any -P in ipsec # esp/transport//require ; #spdadd 192.147.25.45[any] 207.158.72.14[any] any -P in ipsec # esp/transport//require ; ####### #spdadd 207.136.3.72[any] 207.158.72.11[53] udp -P out none; #spdadd 207.158.72.11[53] 207.136.3.72[any] udp -P in none; #spdadd 207.136.3.72[any] 192.147.25.11[53] udp -P out none; #spdadd 192.147.25.11[53] 207.136.3.72[any] udp -P in none; #spdadd 207.136.3.72[any] 207.158.72.11[500] udp -P out ipsec # esp/transport//use; #spdadd 207.158.72.11[500] 207.136.3.72[any] any -P in ipsec # esp/transport//use; #spdadd 207.136.3.72[any] 192.147.25.11[500] any -P out ipsec # esp/transport//use; #spdadd 192.147.25.11[500] 207.136.3.72[any] any -P in ipsec # esp/transport//use; spdadd 207.136.3.72[any] 207.158.72.11[any] tcp -P out ipsec esp/transport//require ; spdadd 207.136.3.72[any] 192.147.25.11[any] tcp -P out ipsec esp/transport//require ; spdadd 207.158.72.11[any] 207.136.3.72[any] tcp -P in ipsec esp/transport//require ; spdadd 192.147.25.11[any] 207.136.3.72[any] tcp -P in ipsec esp/transport//require ; #spdadd 207.136.3.72[any] 207.158.72.45[any] any -P out ipsec # esp/transport//require ; #spdadd 207.136.3.72[any] 192.147.25.45[any] any -P out ipsec # esp/transport//require ; #spdadd 207.158.72.45[any] 207.136.3.72[any] any -P in ipsec # esp/transport//require ; #spdadd 192.147.25.45[any] 207.136.3.72[any] any -P in ipsec # esp/transport//require ; ####### and when I booted today's -CURRENT, it complained about [tcp] on line 26. This had been working with a kernel / world from ~1 month ago. I changed all the uncommented lines to have any in that field, and it parses, but this is BROKEN. >How-To-Repeat: See above >Fix: >Release-Note: >Audit-Trail: State-Changed-From-To: open->feedback State-Changed-By: bms State-Changed-When: Wed Mar 31 10:39:43 PST 2004 State-Changed-Why: I committed a fix from ume-san for this, does this solve the problem for you? Awaiting test results on -STABLE before MFCing. http://www.freebsd.org/cgi/query-pr.cgi?pr=63616 State-Changed-From-To: feedback->closed State-Changed-By: bms State-Changed-When: Tue Apr 6 03:02:13 PDT 2004 State-Changed-Why: Fix from ume@ committed on HEAD and RELENG_4. thanks! http://www.freebsd.org/cgi/query-pr.cgi?pr=63616 >Unformatted: