Bug#477426: marked as done (Incorrect SP (flow) setup when in tunnel mode.)

To: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Subject: Bug#477426: marked as done (Incorrect SP (flow) setup when in tunnel mode.)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Mon, 19 Dec 2022 23:36:15 +0000
Message-id: <[🔎] handler.477426.D477426.16714928851542572.ackdone@bugs.debian.org>
Reply-to: 477426@bugs.debian.org
References: <[🔎] E1p7PeZ-000prT-EV@fasolo.debian.org> <1208936585.18105.21.camel@localhost>

Your message dated Mon, 19 Dec 2022 23:34:39 +0000
with message-id <[🔎] E1p7PeZ-000prT-EV@fasolo.debian.org>
and subject line Bug#1026370: Removed package(s) from unstable
has caused the Debian Bug report #477426,
regarding Incorrect SP (flow) setup when in tunnel mode.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
477426: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=477426
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Incorrect SP (flow) setup when in tunnel mode.
From: Rafal Lewczuk <rafal.lewczuk@hp.com>
Date: Wed, 23 Apr 2008 09:43:05 +0200
Message-id: <1208936585.18105.21.camel@localhost>

Package: isakmpd
Version: 20041012-5
Severity: important
Tags: patch

IPsec implementation has been changed in linux 2.6.10. All packets
intended to be forwarded needs to go through flow configured configured
in IPSEC_DIR_FWD direction (instead of IPSEC_DIR_INBOUND). 

The way isakmpd configures ipsec (IPSEC_DIR_INBOUND for input flows)
causes that incoming packets (intended to be forwarded) are directed
into INPUT chain and are silently discarded.

Attached patch fixes this behavior for me but I'm not sure it is correct
(I don't know isakmpd code at all, don't know much about IPsec and don't
have enough time to dig more). It configures IPSEC_DIR_FWD input flow if
in tunnel mode and IPSEC_DIR_INBOUND otherwise. Cases with host setting
up IPsec in tunnel mode but using this tunnel (instead of just
forwarding packets further) propably need to be handled. I hope this
patch will at least be useful for showing precisely where the problem
is.


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-vserver-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages isakmpd depends on:
ii  libc6           2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii  libgmp3c2       2:4.2.1+dfsg-4    Multiprecision arithmetic library
ii  libssl0.9.8     0.9.8c-4etch1     SSL shared libraries

isakmpd recommends no packages.

diff -ruN isakmpd-20041012.orig/pf_key_v2.c isakmpd-20041012/pf_key_v2.c
--- isakmpd-20041012.orig/pf_key_v2.c	2008-04-21 10:01:55.000000000 +0200
+++ isakmpd-20041012/pf_key_v2.c	2008-04-23 09:02:40.000000000 +0200
@@ -2318,16 +2318,7 @@
 	policy->sadb_x_policy_len = len / PF_KEY_V2_CHUNK;
 	policy->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
 	if (ingress)
-#ifdef LINUX_IPSEC
-	{
-	    if (iproto->encap_mode == IPSEC_ENCAP_TUNNEL)
-		policy->sadb_x_policy_dir = IPSEC_DIR_FWD;
-	    else
 		policy->sadb_x_policy_dir = IPSEC_DIR_INBOUND;
-	}
-#else
-		policy->sadb_x_policy_dir = IPSEC_DIR_INBOUND;
-#endif
 	else
 		policy->sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
 	policy->sadb_x_policy_reserved = 0;

--- End Message ---

--- Begin Message ---

To: 302259-done@bugs.debian.org,477426-done@bugs.debian.org,482590-done@bugs.debian.org,568069-done@bugs.debian.org,657210-done@bugs.debian.org,970915-done@bugs.debian.org,891759-done@bugs.debian.org,

Cc: isakmpd@packages.debian.org

Subject: Bug#1026370: Removed package(s) from unstable

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Date: Mon, 19 Dec 2022 23:34:39 +0000

Message-id: <[🔎] E1p7PeZ-000prT-EV@fasolo.debian.org>
Version: 20041012-10+rm

Dear submitter,

as the package isakmpd has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1026370

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
--- End Message ---

Reply to:

References:
- Bug#1026370: Removed package(s) from unstable
  - From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Prev by Date: Bug#302259: marked as done (Manpage for -L option not clear where capture output ends up)
Next by Date: Bug#482590: marked as done (isakmpd: Package a newer upstream version)
Previous by thread: Bug#302259: marked as done (Manpage for -L option not clear where capture output ends up)
Next by thread: Bug#482590: marked as done (isakmpd: Package a newer upstream version)
Index(es):
- Date
- Thread