NetBSD Problem Report #44843

From www@NetBSD.org  Fri Apr  8 15:23:57 2011
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id 1FA4963C19B
	for <gnats-bugs@gnats.NetBSD.org>; Fri,  8 Apr 2011 15:23:57 +0000 (UTC)
Message-Id: <20110408152356.6033A63C184@www.NetBSD.org>
Date: Fri,  8 Apr 2011 15:23:56 +0000 (UTC)
From: msporleder@gmail.com
Reply-To: msporleder@gmail.com
To: gnats-bugs@NetBSD.org
Subject: IPSEC in kernel make IPPROTO_ESP and IPPROTO_AH unusable
X-Send-Pr-Version: www-1.0

>Number:         44843
>Category:       kern
>Synopsis:       IPSEC in kernel make IPPROTO_ESP and IPPROTO_AH unusable
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Apr 08 15:25:00 +0000 2011
>Last-Modified:  Fri Apr 08 17:55:01 +0000 2011
>Originator:     matthew sporleder
>Release:        5.1
>Organization:
mspo.com
>Environment:
NetBSD vc136-15.vc.panix.com 5.1 NetBSD 5.1 (PANIX-VC) #0: Thu Mar 10 01:49:14 EST 2011  root@juggler.panix.com:/misc/obj/misc/devel/netbsd/5.1/src/sys/arch/amd64/compile/PANIX-VC amd64

>Description:
I have IPSEC in my kernel and am unable to open sockets IPPROTO_ESP or IPPROTO_AH.

This does not seem to happen if the kernel does not have ipsec so I think it's a bug.
>How-To-Repeat:


#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#include <string.h>

int main(int argc, char *argv[])
{
 int sock;
 sock = socket(PF_INET, SOCK_RAW, IPPROTO_ESP);
 if ( sock < 0 )
 {
   perror("sock problem");
 }

}


sock problem: Protocol not supported
>Fix:

>Audit-Trail:
From: Paul Koning <paul_koning@dell.com>
To: <gnats-bugs@NetBSD.org>
Cc: <kern-bug-people@netbsd.org>,
 <gnats-admin@netbsd.org>,
 <netbsd-bugs@netbsd.org>
Subject: Re: kern/44843: IPSEC in kernel make IPPROTO_ESP and IPPROTO_AH unusable
Date: Fri, 8 Apr 2011 11:32:39 -0400

 IPSec uses those two protocols; if you tell NetBSD to implement them in =
 the kernel, why would you expect to be able to access them from =
 userland?

 	paul

 On Apr 8, 2011, at 11:25 AM, <msporleder@gmail.com> wrote:

 >> Number:         44843
 >> Category:       kern
 >> Synopsis:       IPSEC in kernel make IPPROTO_ESP and IPPROTO_AH =
 unusable
 >> Confidential:   no
 >> Severity:       serious
 >> Priority:       medium
 >> Responsible:    kern-bug-people
 >> State:          open
 >> Class:          sw-bug
 >> Submitter-Id:   net
 >> Arrival-Date:   Fri Apr 08 15:25:00 +0000 2011
 >> Originator:     matthew sporleder
 >> Release:        5.1
 >> Organization:
 > mspo.com
 >> Environment:
 > NetBSD vc136-15.vc.panix.com 5.1 NetBSD 5.1 (PANIX-VC) #0: Thu Mar 10 =
 01:49:14 EST 2011  =
 root@juggler.panix.com:/misc/obj/misc/devel/netbsd/5.1/src/sys/arch/amd64/=
 compile/PANIX-VC amd64
 >=20
 >> Description:
 > I have IPSEC in my kernel and am unable to open sockets IPPROTO_ESP or =
 IPPROTO_AH.
 >=20
 > This does not seem to happen if the kernel does not have ipsec so I =
 think it's a bug.
 >> How-To-Repeat:
 >=20
 >=20
 > #include <stdio.h>
 > #include <sys/socket.h>
 > #include <netinet/in.h>
 > #include <errno.h>
 > #include <string.h>
 >=20
 > int main(int argc, char *argv[])
 > {
 > int sock;
 > sock =3D socket(PF_INET, SOCK_RAW, IPPROTO_ESP);
 > if ( sock < 0 )
 > {
 >   perror("sock problem");
 > }
 >=20
 > }
 >=20
 >=20
 > sock problem: Protocol not supported
 >> Fix:
 >=20

From: matthew sporleder <msporleder@gmail.com>
To: gnats-bugs@netbsd.org
Cc: Paul Koning <paul_koning@dell.com>, kern-bug-people@netbsd.org, 
	gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: kern/44843: IPSEC in kernel make IPPROTO_ESP and IPPROTO_AH unusable
Date: Fri, 8 Apr 2011 13:50:03 -0400

 > =A0IPSec uses those two protocols; if you tell NetBSD to implement them i=
 n =3D
 > =A0the kernel, why would you expect to be able to access them from =3D
 > =A0userland?
 >

 To force this choice at kernel-compile time is pretty extreme, in my opinio=
 n.

 My sample program works on other operating systems.  I don't know
 about their kernels as much as I do netbsd's, but I know I can install
 racoon on linux without needing a new kernel.  OpenBSD has options
 IPSEC in GENERIC and doesn't seem to have a problem.

 Is there another example of where enabling an option in the kernel
 disables a userland component in such a way?  options INET certainly
 doesn't exclude my ability to run a web server.

 I didn't see any mention in the options or ipsec man pages mentioning
 this impact.
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.