Bjoern A. Zeeb wrote:
On Mon, 17 Nov 2008, Stephen Clark wrote:
Hi,
Bjoern A. Zeeb wrote:
On Fri, 14 Nov 2008, Robert Noland wrote:
Hi,
Also just using gre's without the
underlying ipsec tunnels seems to
work properly.
The reason for this to my knowledge is:
http://www.kame.net/dev/cvsweb2.cgi/kame/freebsd2/sys/netinet/ip_icmp.c#rev1.4
or looking at recent freebsd code:
http://fxr.watson.org/fxr/source/netinet/ip_icmp.c#L164
Look for M_DECRYPTED.
Now what happens in your case:
you receive an IPSec ESP packet, which gets decryped, that sets
M_DECRYPTED on the mbuf passes through various parts, gets up to gre,
gets decapsulated is an IP packet (again) gets to ip_input, TTL
expired, icmp_error and it's still the same mbuf that originally got
the M_DECRYPTED set. Thus the packets is just freed and you never see
anything.
So thinking about this has nothing to do with gre (or gif for example
as well) in first place. It's arguably that passing it on to another
decapsulation the flag should be cleared when entering gre() for
example.
The other question of course is why we do not send the icmp error back
even on plain ipsec? Is it because we could possibly leak information
as it's not caught by the policy sending it back?
/bz
Update:
Adding this code in ip_icmp.c makes the traceroute work.
case IPPROTO_GRE:
hlen += sizeof(struct gre_h);
+ m->m_flags &= ~(M_DECRYPTED);
I have two problems with this:
1) my ip_icmp.c doesn't know anything about GRE (in HEAD or on my 6.x
box) unless I need more coffee.
2) This obviously doesn't solve the problem for gif(4), ...
Can you tell me which brnach you are working against (I guess it's
6.3?) and generate a proper diff?
/bz
Duh sorry - should have said ip_gre.c and it is 6.3-p5
*** ip_gre.c.ori Tue Nov 18 08:09:16 2008
--- ip_gre.c Tue Nov 18 08:10:27 2008
***************
*** 153,158 ****
--- 153,161 ----
switch (proto) {
case IPPROTO_GRE:
hlen += sizeof(struct gre_h);
+
+ m->m_flags &= ~(M_DECRYPTED);
+
/* process GRE flags as packet can be of variable len */
flags = ntohs(gip->gi_flags);
Your right about gif(4) - probably something similar is needed.
Steve
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
