IPSEC with MAC/MLS support crack

Hi, When I use FreeBSD-6.0 Release (also FreeBSD-5.4),
I found
IPSEC can't coexists with MAC.

When the IpSec is setup, and we connects the TCP
server with IPSEC and MAC support, the server
innevitably crack. Because the m_pkthdr of some mbuf
is mangled by unknown reasons.

Following is my kernel configuration:
options MAC
options MAC_DEBUG
options MAC_MLS
# uncomment to put sebsd to kernel, but better to
options IPSEC
options IPSEC_ESP

Following is the kernel dump backtrace:
#0 0xc0668f0b in kdb_enter (msg=0x12 <Address 0x12
out of bounds>) at cpufunc.h:60
#1 0xc06509ab in panic (fmt=0xc08e6470
"mac_mls_dominate_element: b->mme_type invalid")
at ../../../kern/kern_shutdown.c:545
#2 0xc07be3da in mac_mls_dominate_element
(a=0xc14dfebc, b=0xc1b5eee4)
at ../../../security/mac_mls/mac_mls.c:216
#3 0xc07be4e2 in mac_mls_effective_in_range
(effective=0xc1b5eee0, range=0xc14dfe70)
at ../../../security/mac_mls/mac_mls.c:266
#4 0xc07bf8de in mac_mls_check_ifnet_transmit
(ifnet=0xc1646400, ifnetlabel=0x12, m=0xc16e5600,
mbuflabel=0x12) at
#5 0xc07b49fb in mac_check_ifnet_transmit
(ifnet=0xc1646400, mbuf=0xc16e5600)
at ../../../security/mac/mac_net.c:409
#6 0xc06bfb46 in ether_output (ifp=0xc1646400,
m=0xc16e5600, dst=0xc1a16330, rt0=0xc1816840)
at ../../../net/if_ethersubr.c:161
#7 0xc06f3662 in ip_output (m=0xc16e5600,
opt=0xc16e56ec, ro=0xc1a1632c, flags=0, imo=0x0,
at ../../../netinet/ip_output.c:778
#8 0xc06fca6a in tcp_output (tp=0xc186fac8) at
#9 0xc0704bbc in tcp_disconnect (tp=0xc186fac8) at
#10 0xc07034c0 in tcp_usr_disconnect (so=0x12) at
#11 0xc0689822 in sodisconnect (so=0x0) at
#12 0xc0689490 in soclose (so=0xc19ec164) at
#13 0xc0678d17 in soo_close (fp=0xc1736c60,
td=0xc1730c00) at ../../../kern/sys_socket.c:317
#14 0xc062e818 in fdrop_locked (fp=0xc1736c60,
td=0xc1730c00) at file.h:289
#15 0xc062e769 in fdrop (fp=0xc1736c60, td=0xc1730c00)
at ../../../kern/kern_descrip.c:2112
#16 0xc062cd97 in closef (fp=0xc1736c60,
td=0xc1730c00) at ../../../kern/kern_descrip.c:1932
#17 0xc062a175 in close (td=0xc1730c00, uap=0x12) at
#18 0xc086576f in syscall (frame=

The failing point is not always the same and my system
FreeBSD zzy.ios 6.0-RELEASE FreeBSD 6.0-RELEASE #13:
Fri Mar 17 17:11:04 UTC 2006

Thanks very much

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: MAC Filtering Part II
    ... IPSec you will need to consider any network attached devices which do not ... connected to the internet i.e. server acting as a gateway, ... I thought that finding a way to permit only certain MAC addresses ...
  • Re: security dhcp server
    ... What you could try is to configure your scope to only have reservations. ... specific mac address. ... accessing a computer with an ipsec require policy. ... certificate server, and an IAS server. ...
  • Am I understanding this right?
    ... I decided that I wanted to use a Linux server for a VPN. ... With IPSec built in to the new kernel, can I some how configure some ...
  • IPSEC with MAC/MLS support crack
    ... IPSEC can't coexists with MAC. ... When the IpSec is setup, ... server with IPSEC and MAC support, ... Following is my kernel configuration: ...
  • Re: Kernel hiding files
    ... Search for Kernel Mode Trojans. ... > half way through the installation it says ipsec.sys can ... > into the server, ipsec.sys is invisible. ... > ipsec.* files I had been renaming from the remote machine. ...