kern/101400: [ipsec] some packets do not pass through IPSEC tunnel

Шкурко Александр read at midland.com.ua
Sat Aug 19 12:40:19 UTC 2006 

The following reply was made to PR kern/101400; it has been noted by GNATS.

From: =?koi8-r?B?+8vV0svPIOHMxcvTwc7E0g==?= <read at midland.com.ua>
To: <bug-followup at FreeBSD.org>, <read at midland.com.ua>
Cc:  
Subject: Re: kern/101400: [ipsec] some packets do not pass through IPSEC tunnel
Date: Sat, 19 Aug 2006 15:37:30 +0300

 After additional testing it was found out, that packets (not only ESP) =
 the certain size are lost all.
 If it is ICMP(as example) packet from 1473 to 1479 bytes we have lost =
 it.
 Examle:
 ping -s 1473 any_ip_address
 
 And I found that after 1480*x, where x=3D1,3,4,5,6... bytes we have the =
 same problem
 1480+1473=9A -=9A=9A 1480+1479=9A=9A=9A=9A=9A=9A=9A=9A=9A first range of =
 payload of ICMP packet
 1480*2+1473=9A - 1480*2+1479=9A=9A=9A=9A=9A second range of payload of =
 ICMP packet
 .........
 And so on
 
 If packets bigger or smaller=9A of that range - packets pass
 When problem exists I have kernel:
 diff -u ./GENERIC ./black
 --- ./GENERIC=9A=9A Mon May=9A 1 03:15:12 2006
 +++ ./black=9A=9A=9A=9A Sat Aug 19 10:51:09 2006
 @@ -22,7 +22,7 @@
 =9Acpu=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A I486_CPU
 =9Acpu=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A I586_CPU
 =9Acpu=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A I686_CPU
 -ident=9A=9A=9A=9A=9A=9A=9A=9A=9A GENERIC
 +ident=9A=9A=9A=9A=9A=9A=9A=9A=9A black
 
 =9A# To statically compile in device wiring instead of =
 /boot/device.hints
 =9A#hints=9A=9A=9A=9A=9A=9A=9A=9A =
 "GENERIC.hints"=9A=9A=9A=9A=9A=9A=9A=9A # Default places to look for =
 devices.
 @@ -33,7 +33,7 @@
 =9Aoptions=9A=9A=9A=9A=9A=9A=9A =
 SCHED_4BSD=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A # 4BSD scheduler
 =9Aoptions=9A=9A=9A=9A=9A=9A=9A =
 PREEMPTION=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A =9A# Enable kernel thread =
 preemption
 =9Aoptions=9A=9A=9A=9A=9A=9A=9A =
 INET=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A # =
 InterNETworking
 -options=9A=9A=9A=9A=9A=9A=9A =
 INET6=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A # IPv6 =
 communications protocols
 +#options=9A=9A=9A=9A=9A=9A =
 INET6=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A # IPv6 =
 communications protocols
 =9Aoptions=9A=9A=9A=9A=9A=9A=9A =
 FFS=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A # =
 Berkeley Fast Filesystem
 =9Aoptions=9A=9A=9A=9A=9A=9A=9A =
 SOFTUPDATES=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A # Enable FFS soft =
 updates support
 =9Aoptions=9A=9A=9A=9A=9A=9A=9A =
 UFS_ACL=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A # Support for =
 access control lists
 @@ -279,3 +279,41 @@
 =9Adevice=9A=9A=9A=9A=9A=9A=9A=9A firewire=9A=9A=9A=9A=9A=9A=9A # =
 FireWire bus code
 =9Adevice=9A=9A=9A=9A=9A=9A=9A=9A =
 sbp=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A # SCSI over FireWire (Requires =
 scbus and da)
 =9Adevice=9A=9A=9A=9A=9A=9A=9A=9A =
 fwe=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A # Ethernet over FireWire =
 (non-standard!)
 +
 +#--------------------------------
 +options=9A=9A=9A=9A=9A=9A=9A=9A =
 SMP=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A =9A=9A=9A=9A=9A# =
 Symmetric MultiProcessor Kernel
 +options=9A=9A=9A=9A=9A=9A=9A=9A IPFIREWALL
 +options=9A=9A=9A=9A=9A=9A=9A=9A IPFIREWALL_VERBOSE
 +options=9A=9A=9A=9A=9A=9A=9A=9A IPFIREWALL_VERBOSE_LIMIT=3D100
 +options=9A=9A=9A=9A=9A=9A=9A=9A IPFIREWALL_DEFAULT_TO_ACCEPT
 +options=9A=9A=9A=9A=9A=9A=9A=9A IPDIVERT
 +options=9A=9A=9A=9A=9A=9A=9A=9A TCP_DROP_SYNFIN
 +options=9A=9A=9A=9A=9A=9A=9A=9A IPFILTER
 +options=9A=9A=9A=9A=9A=9A=9A=9A IPFILTER_LOG
 +options=9A=9A=9A=9A=9A=9A=9A=9A DUMMYNET
 +options=9A=9A=9A=9A=9A=9A=9A=9A SC_HISTORY_SIZE=3D1000
 +options=9A=9A=9A=9A=9A=9A=9A=9A PANIC_REBOOT_WAIT_TIME=3D120
 +options=9A=9A=9A=9A=9A=9A=9A=9A SC_DISABLE_REBOOT
 +options=9A=9A=9A=9A=9A=9A=9A=9A IPSEC
 +options=9A=9A=9A=9A=9A=9A=9A=9A IPSEC_ESP
 +options=9A=9A=9A=9A=9A=9A=9A=9A IPSEC_DEBUG
 +options=9A=9A=9A=9A=9A=9A=9A=9A IPFIREWALL_FORWARD
 +options=9A=9A=9A=9A=9A=9A=9A=9A IPFIREWALL_FORWARD_EXTENDED
 +
 +options=9A=9A=9A=9A=9A=9A=9A=9A HZ=3D1000
 +
 +# pf otions
 +device pf
 +device pflog
 +device pfsync
 +
 +#ALTQ
 +options=9A=9A=9A=9A=9A=9A=9A=9A ALTQ
 +options=9A=9A=9A=9A=9A=9A=9A=9A ALTQ_CBQ=9A=9A=9A=9A=9A=9A=9A # Class =
 Bases Queueing
 +options=9A=9A=9A=9A=9A=9A=9A=9A ALTQ_RED=9A=9A=9A=9A=9A=9A=9A # Random =
 Early Detection
 +options=9A=9A=9A=9A=9A=9A=9A=9A ALTQ_RIO=9A=9A=9A=9A=9A=9A=9A # RED =
 In/Out
 +options=9A=9A=9A=9A=9A=9A=9A=9A ALTQ_HFSC=9A=9A=9A=9A=9A=9A # =
 Hierarchical Packet Scheduler
 +options=9A=9A=9A=9A=9A=9A=9A=9A ALTQ_CDNR=9A=9A=9A=9A =9A=9A# Traffic =
 conditioner
 +options=9A=9A=9A=9A=9A=9A=9A=9A ALTQ_PRIQ=9A=9A=9A=9A=9A=9A # Priority =
 Queueing
 +options=9A=9A=9A=9A=9A=9A=9A=9A ALTQ_NOPCC=9A=9A=9A=9A=9A # Required =
 for SMP build
 +
 
 But when I comment some lines from config problem with packets =
 disappear!
 diff -u ./GENERIC ./black
 --- ./GENERIC=9A=9A Mon May=9A 1 03:15:12 2006
 +++ ./black=9A=9A=9A=9A Sat Aug 19 10:51:09 2006
 @@ -22,7 +22,7 @@
 =9Acpu=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A I486_CPU
 =9Acpu=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A I586_CPU
 =9Acpu=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A I686_CPU
 -ident=9A=9A=9A=9A=9A=9A=9A=9A=9A GENERIC
 +ident=9A=9A=9A=9A=9A=9A=9A=9A=9A black
 
 =9A# To statically compile in device wiring instead of =
 /boot/device.hints
 =9A#hints=9A=9A=9A=9A=9A=9A=9A=9A =
 "GENERIC.hints"=9A=9A=9A=9A=9A=9A=9A=9A # Default places to look for =
 devices.
 @@ -33,7 +33,7 @@
 =9Aoptions=9A=9A=9A=9A=9A=9A=9A =
 SCHED_4BSD=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A # 4BSD scheduler
 =9Aoptions=9A=9A=9A=9A=9A=9A=9A =
 PREEMPTION=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A # Enable kernel thread =
 preemption
 =9Aoptions=9A=9A=9A=9A=9A=9A=9A =
 INET=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A # =
 InterNETworking
 -options=9A=9A=9A=9A=9A=9A=9A =
 INET6=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A # IPv6 =
 communications protocols
 +#options=9A=9A=9A=9A=9A=9A =
 INET6=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A =9A=9A=9A=9A# IPv6 =
 communications protocols
 =9Aoptions=9A=9A=9A=9A=9A=9A=9A =
 FFS=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A # =
 Berkeley Fast Filesystem
 =9Aoptions=9A=9A=9A=9A=9A=9A=9A =
 SOFTUPDATES=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A # Enable FFS soft =
 updates support
 =9Aoptions=9A=9A=9A=9A=9A=9A=9A =
 UFS_ACL=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A # Support for =
 access control lists
 @@ -279,3 +279,41 @@
 =9Adevice=9A=9A=9A=9A=9A=9A=9A=9A firewire=9A=9A=9A=9A=9A=9A=9A # =
 FireWire bus code
 =9Adevice=9A=9A=9A=9A=9A=9A=9A=9A =
 sbp=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A # SCSI over FireWire (Requires =
 scbus and da)
 =9Adevice=9A=9A=9A=9A=9A=9A=9A=9A =
 fwe=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A # Ethernet over FireWire =
 (non-standard!)
 +
 +#--------------------------------
 +options=9A=9A=9A=9A=9A=9A=9A=9A =
 SMP=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A=9A # =
 Symmetric MultiProcessor Kernel
 +#options=9A=9A=9A=9A=9A=9A=9A=9A IPFIREWALL
 +#options=9A=9A=9A=9A=9A=9A=9A=9A IPFIREWALL_VERBOSE
 +#options=9A=9A=9A=9A=9A=9A=9A=9A IPFIREWALL_VERBOSE_LIMIT=3D100
 +#options=9A=9A=9A=9A=9A=9A=9A=9A IPFIREWALL_DEFAULT_TO_ACCEPT
 +#options=9A=9A=9A=9A=9A=9A=9A=9A IPDIVERT
 +#options=9A=9A=9A=9A=9A=9A=9A=9A TCP_DROP_SYNFIN
 +#options=9A=9A=9A=9A=9A=9A=9A=9A IPFILTER
 +#options=9A=9A=9A=9A=9A=9A=9A=9A IPFILTER_LOG
 +#options=9A=9A=9A=9A=9A=9A=9A=9A DUMMYNET
 +options=9A=9A=9A=9A=9A=9A=9A=9A SC_HISTORY_SIZE=3D1000
 +options=9A=9A=9A=9A=9A=9A=9A=9A PANIC_REBOOT_WAIT_TIME=3D120
 +options=9A=9A=9A=9A=9A=9A=9A=9A SC_DISABLE_REBOOT
 +options=9A=9A=9A=9A=9A=9A=9A=9A IPSEC
 +options=9A=9A=9A=9A=9A=9A=9A=9A IPSEC_ESP
 +options=9A=9A=9A=9A=9A=9A=9A=9A IPSEC_DEBUG
 +options=9A=9A=9A=9A=9A=9A=9A=9A IPFIREWALL_FORWARD
 +options=9A=9A=9A=9A=9A=9A=9A=9A IPFIREWALL_FORWARD_EXTENDED
 +
 +options=9A=9A=9A=9A=9A=9A=9A=9A HZ=3D1000
 +
 +# pf otions
 +device pf
 +device pflog
 +device pfsync
 +
 +#ALTQ
 +options=9A=9A=9A=9A=9A=9A=9A=9A ALTQ
 +options=9A=9A=9A=9A=9A=9A=9A=9A ALTQ_CBQ=9A=9A=9A=9A=9A=9A=9A # Class =
 Bases Queueing
 +options=9A=9A=9A=9A=9A=9A=9A=9A ALTQ_RED=9A=9A=9A=9A=9A=9A=9A # Random =
 Early Detection
 +options=9A=9A=9A=9A=9A=9A=9A=9A ALTQ_RIO=9A=9A=9A=9A=9A=9A=9A # RED =
 In/Out
 +options=9A=9A=9A=9A=9A=9A=9A=9A ALTQ_HFSC=9A=9A=9A=9A=9A=9A # =
 Hierarchical Packet Scheduler
 +options=9A=9A=9A=9A=9A=9A=9A=9A ALTQ_CDNR=9A=9A=9A=9A=9A=9A # Traffic =
 conditioner
 +options=9A=9A=9A=9A=9A=9A=9A=9A ALTQ_PRIQ=9A=9A=9A=9A=9A=9A # Priority =
 Queueing
 +options=9A=9A=9A=9A=9A=9A=9A=9A ALTQ_NOPCC=9A=9A=9A=9A=9A # Required =
 for SMP build
 +

More information about the freebsd-bugs mailing list