FreeBSD 6.3 gre and traceroute

Stephen Clark sclark46 at earthlink.net
Mon Nov 17 06:11:27 PST 2008


Bjoern A. Zeeb wrote:
> On Fri, 14 Nov 2008, Robert Noland wrote:
> 
> Hi,
> 
>>>>> Also just using gre's without the
>>>>> underlying ipsec tunnels seems to
>>>>> work properly.
> 
> The reason for this to my knowledge is:
> http://www.kame.net/dev/cvsweb2.cgi/kame/freebsd2/sys/netinet/ip_icmp.c#rev1.4 
> 
> 
> or looking at recent freebsd code:
> http://fxr.watson.org/fxr/source/netinet/ip_icmp.c#L164
> Look for M_DECRYPTED.
> 
> Now what happens in your case:
> 
> you receive an IPSec ESP packet, which gets decryped, that sets
> M_DECRYPTED on the mbuf passes through various parts, gets up to gre,
> gets decapsulated is an IP packet (again) gets to ip_input, TTL
> expired, icmp_error and it's still the same mbuf that originally got
> the M_DECRYPTED set. Thus the packets is just freed and you never see
> anything.
> 
> So thinking about this has nothing to do with gre (or gif for example
> as well) in first place. It's arguably that passing it on to another
> decapsulation the flag should be cleared when entering gre() for
> example.
> 
> The other question of course is why we do not send the icmp error back
> even on plain ipsec? Is it because we could possibly leak information
> as it's not caught by the policy sending it back?
> 
> /bz
> 
Hi Bjoern,

Thanks for you insight. I see in the ip_icmp.c code what you are talking about.

Thanks,
Steve

-- 

"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety."  (Ben Franklin)

"The course of history shows that as a government grows, liberty
decreases."  (Thomas Jefferson)




More information about the freebsd-stable mailing list