NetBSD Problem Report #44843
From www@NetBSD.org Fri Apr 8 15:23:57 2011
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 1FA4963C19B
for <gnats-bugs@gnats.NetBSD.org>; Fri, 8 Apr 2011 15:23:57 +0000 (UTC)
Message-Id: <20110408152356.6033A63C184@www.NetBSD.org>
Date: Fri, 8 Apr 2011 15:23:56 +0000 (UTC)
From: msporleder@gmail.com
Reply-To: msporleder@gmail.com
To: gnats-bugs@NetBSD.org
Subject: IPSEC in kernel make IPPROTO_ESP and IPPROTO_AH unusable
X-Send-Pr-Version: www-1.0
>Number: 44843
>Category: kern
>Synopsis: IPSEC in kernel make IPPROTO_ESP and IPPROTO_AH unusable
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Apr 08 15:25:00 +0000 2011
>Last-Modified: Fri Apr 08 17:55:01 +0000 2011
>Originator: matthew sporleder
>Release: 5.1
>Organization:
mspo.com
>Environment:
NetBSD vc136-15.vc.panix.com 5.1 NetBSD 5.1 (PANIX-VC) #0: Thu Mar 10 01:49:14 EST 2011 root@juggler.panix.com:/misc/obj/misc/devel/netbsd/5.1/src/sys/arch/amd64/compile/PANIX-VC amd64
>Description:
I have IPSEC in my kernel and am unable to open sockets IPPROTO_ESP or IPPROTO_AH.
This does not seem to happen if the kernel does not have ipsec so I think it's a bug.
>How-To-Repeat:
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#include <string.h>
int main(int argc, char *argv[])
{
int sock;
sock = socket(PF_INET, SOCK_RAW, IPPROTO_ESP);
if ( sock < 0 )
{
perror("sock problem");
}
}
sock problem: Protocol not supported
>Fix:
>Audit-Trail:
From: Paul Koning <paul_koning@dell.com>
To: <gnats-bugs@NetBSD.org>
Cc: <kern-bug-people@netbsd.org>,
<gnats-admin@netbsd.org>,
<netbsd-bugs@netbsd.org>
Subject: Re: kern/44843: IPSEC in kernel make IPPROTO_ESP and IPPROTO_AH unusable
Date: Fri, 8 Apr 2011 11:32:39 -0400
IPSec uses those two protocols; if you tell NetBSD to implement them in =
the kernel, why would you expect to be able to access them from =
userland?
paul
On Apr 8, 2011, at 11:25 AM, <msporleder@gmail.com> wrote:
>> Number: 44843
>> Category: kern
>> Synopsis: IPSEC in kernel make IPPROTO_ESP and IPPROTO_AH =
unusable
>> Confidential: no
>> Severity: serious
>> Priority: medium
>> Responsible: kern-bug-people
>> State: open
>> Class: sw-bug
>> Submitter-Id: net
>> Arrival-Date: Fri Apr 08 15:25:00 +0000 2011
>> Originator: matthew sporleder
>> Release: 5.1
>> Organization:
> mspo.com
>> Environment:
> NetBSD vc136-15.vc.panix.com 5.1 NetBSD 5.1 (PANIX-VC) #0: Thu Mar 10 =
01:49:14 EST 2011 =
root@juggler.panix.com:/misc/obj/misc/devel/netbsd/5.1/src/sys/arch/amd64/=
compile/PANIX-VC amd64
>=20
>> Description:
> I have IPSEC in my kernel and am unable to open sockets IPPROTO_ESP or =
IPPROTO_AH.
>=20
> This does not seem to happen if the kernel does not have ipsec so I =
think it's a bug.
>> How-To-Repeat:
>=20
>=20
> #include <stdio.h>
> #include <sys/socket.h>
> #include <netinet/in.h>
> #include <errno.h>
> #include <string.h>
>=20
> int main(int argc, char *argv[])
> {
> int sock;
> sock =3D socket(PF_INET, SOCK_RAW, IPPROTO_ESP);
> if ( sock < 0 )
> {
> perror("sock problem");
> }
>=20
> }
>=20
>=20
> sock problem: Protocol not supported
>> Fix:
>=20
From: matthew sporleder <msporleder@gmail.com>
To: gnats-bugs@netbsd.org
Cc: Paul Koning <paul_koning@dell.com>, kern-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: kern/44843: IPSEC in kernel make IPPROTO_ESP and IPPROTO_AH unusable
Date: Fri, 8 Apr 2011 13:50:03 -0400
> =A0IPSec uses those two protocols; if you tell NetBSD to implement them i=
n =3D
> =A0the kernel, why would you expect to be able to access them from =3D
> =A0userland?
>
To force this choice at kernel-compile time is pretty extreme, in my opinio=
n.
My sample program works on other operating systems. I don't know
about their kernels as much as I do netbsd's, but I know I can install
racoon on linux without needing a new kernel. OpenBSD has options
IPSEC in GENERIC and doesn't seem to have a problem.
Is there another example of where enabling an option in the kernel
disables a userland component in such a way? options INET certainly
doesn't exclude my ability to run a web server.
I didn't see any mention in the options or ipsec man pages mentioning
this impact.
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.