FreeBSD 6.3 gre and tracerouteo

Stephen Clark sclark46 at earthlink.net
Tue Nov 18 05:13:16 PST 2008 

Bjoern A. Zeeb wrote:
> On Mon, 17 Nov 2008, Stephen Clark wrote:
> 
> Hi,
> 
>> Bjoern A. Zeeb wrote:
>>> On Fri, 14 Nov 2008, Robert Noland wrote:
>>>
>>> Hi,
>>>
>>>>>>> Also just using gre's without the
>>>>>>> underlying ipsec tunnels seems to
>>>>>>> work properly.
>>>
>>> The reason for this to my knowledge is:
>>> http://www.kame.net/dev/cvsweb2.cgi/kame/freebsd2/sys/netinet/ip_icmp.c#rev1.4 
>>>
>>> or looking at recent freebsd code:
>>> http://fxr.watson.org/fxr/source/netinet/ip_icmp.c#L164
>>> Look for M_DECRYPTED.
>>>
>>> Now what happens in your case:
>>>
>>> you receive an IPSec ESP packet, which gets decryped, that sets
>>> M_DECRYPTED on the mbuf passes through various parts, gets up to gre,
>>> gets decapsulated is an IP packet (again) gets to ip_input, TTL
>>> expired, icmp_error and it's still the same mbuf that originally got
>>> the M_DECRYPTED set. Thus the packets is just freed and you never see
>>> anything.
>>>
>>> So thinking about this has nothing to do with gre (or gif for example
>>> as well) in first place. It's arguably that passing it on to another
>>> decapsulation the flag should be cleared when entering gre() for
>>> example.
>>>
>>> The other question of course is why we do not send the icmp error back
>>> even on plain ipsec? Is it because we could possibly leak information
>>> as it's not caught by the policy sending it back?
>>>
>>> /bz
>>>
>> Update:
>>
>> Adding this code in ip_icmp.c makes the traceroute work.
>>     case IPPROTO_GRE:
>>         hlen += sizeof(struct gre_h);
>>
>> +        m->m_flags &= ~(M_DECRYPTED);
> 
> I have two problems with this:
> 
> 1) my ip_icmp.c doesn't know anything about GRE (in HEAD or on my 6.x
>    box) unless I need more coffee.
> 
> 2) This obviously doesn't solve the problem for gif(4), ...
> 
> 
> Can you tell me which brnach you are working against (I guess it's
> 6.3?) and generate a proper diff?
> 
> 
> /bz
> 
Duh sorry - should have said ip_gre.c and it is 6.3-p5

*** ip_gre.c.ori        Tue Nov 18 08:09:16 2008
--- ip_gre.c    Tue Nov 18 08:10:27 2008
***************
*** 153,158 ****
--- 153,161 ----
         switch (proto) {
         case IPPROTO_GRE:
                 hlen += sizeof(struct gre_h);
+
+               m->m_flags &= ~(M_DECRYPTED);
+
                 /* process GRE flags as packet can be of variable len */
                 flags = ntohs(gip->gi_flags);


Your right about gif(4) - probably something similar is needed.

Steve

-- 

"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety."  (Ben Franklin)

"The course of history shows that as a government grows, liberty
decreases."  (Thomas Jefferson)

More information about the freebsd-net mailing list