Bjoern A. Zeeb wrote:
On Fri, 14 Nov 2008, Robert Noland wrote:
Hi,
Also just using gre's without the
underlying ipsec tunnels seems to
work properly.
The reason for this to my knowledge is:
http://www.kame.net/dev/cvsweb2.cgi/kame/freebsd2/sys/netinet/ip_icmp.c#rev1.4
or looking at recent freebsd code:
http://fxr.watson.org/fxr/source/netinet/ip_icmp.c#L164
Look for M_DECRYPTED.
Now what happens in your case:
you receive an IPSec ESP packet, which gets decryped, that sets
M_DECRYPTED on the mbuf passes through various parts, gets up to gre,
gets decapsulated is an IP packet (again) gets to ip_input, TTL
expired, icmp_error and it's still the same mbuf that originally got
the M_DECRYPTED set. Thus the packets is just freed and you never see
anything.
So thinking about this has nothing to do with gre (or gif for example
as well) in first place. It's arguably that passing it on to another
decapsulation the flag should be cleared when entering gre() for
example.
The other question of course is why we do not send the icmp error back
even on plain ipsec? Is it because we could possibly leak information
as it's not caught by the policy sending it back?
/bz
Update:
Adding this code in ip_icmp.c makes the traceroute work.
case IPPROTO_GRE:
hlen += sizeof(struct gre_h);
+ m->m_flags &= ~(M_DECRYPTED);
Steve
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
