kern/69957: if_gre sends bogus (IPv0) packets

[David Siebörger]

>Number:         69957
>Category:       kern
>Synopsis:       if_gre sends bogus (IPv0) packets
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 03 17:20:11 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     David Siebörger
>Release:        FreeBSD 5.2-CURRENT
>Organization:
Rhodes University Computer Users Society
>Environment:
System: FreeBSD dagwood.ict.ru.ac.za 5.2-CURRENT FreeBSD 5.2-CURRENT #21: Tue Aug  3 18:48:08 SAST 2004     drs at dagwood.ict.ru.ac.za:/usr/obj/usr/src/sys/DAGWOOD  i386

>Description:
In a recent (cvsup'ed one or two days ago), if_gre appears to send malformed
packets.  The IP version of the encapsulating packets is set to 0.

if_gre worked fine in 5.1-RELEASE.  In 5.2.1-RELEASE, it is broken in a
different way, which I've yet to thoroughly investigate.

>How-To-Repeat:
Configure a gre interface and ping the far side of the tunnel:

# ifconfig gre0 create
# ifconfig gre0 172.16.0.1/30 172.16.0.2 tunnel dagwood pita-fe0-0 link1
# ping 172.16.0.2
PING 172.16.0.2 (172.16.0.2): 56 data bytes
^C
--- 172.16.0.2 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

While capturing the packets sent:

# tcpdump -vvi fxp0 -s 1500 host pita-fe0-0
tcpdump: listening on fxp0, link-type EN10MB (Ethernet), capture size 1500 bytes
19:08:59.961225 arp who-has pita-fe0-0.ict.ru.ac.za tell dagwood.ict.ru.ac.za
19:08:59.961927 arp reply pita-fe0-0.ict.ru.ac.za is-at 00:0c:ce:0b:cd:a0
19:08:59.961966 IP0 (tos 0x0, ttl  30, id 174, offset 0, flags [none], length: 108) dagwood.ict.ru.ac.za > pita-fe0-0.ict.ru.ac.za: [] IP (tos 0x0, ttl  64, id 174, offset 0, flags [none], length: 84) 172.16.0.1 > 172.16.0.2: icmp 64: echo request seq 0

Note that the encapsulating packet is marked "IP0", because the version
field is set to zero.

>Fix:
This patch fixes the problem for me, but assumes that gre tunnels are only
carried over IPv4....  It has been tested using a Cisco 2600 and a
5.1-RELEASE machine as the far ends of the tunnel.

--- sys/net/if_gre.c.orig	Tue Aug  3 16:28:55 2004
+++ sys/net/if_gre.c	Tue Aug  3 16:29:24 2004
@@ -376,6 +376,7 @@
 	if (sc->g_proto != IPPROTO_MOBILE) {
 		gh->gi_src = sc->g_src;
 		gh->gi_dst = sc->g_dst;
+		((struct ip*)gh)->ip_v = IPPROTO_IPV4;
 		((struct ip*)gh)->ip_hl = (sizeof(struct ip)) >> 2;
 		((struct ip*)gh)->ip_ttl = GRE_TTL;
 		((struct ip*)gh)->ip_tos = ip->ip_tos;


>Release-Note:
>Audit-Trail:
>Unformatted: