tcp md5 checksums broken in 7.0-beta3
Nick Hilliard
nick-lists at netability.ie
Tue Nov 27 02:52:48 PST 2007
Bjoern A. Zeeb wrote:
> not that this should fix your problem but you might want to start with
> this patch:
>
> http://sources.zabbadoz.net/freebsd/patchset/sys-netinet-tcp-syncache.c-20071126-01.diff
No, probably not. But it may fix a bunch of spurious failed SADB lookup
messages I've been seeing on the box in question.
> I'll try to find your bug the next days (in case you find anything let
> me know).
>
> I don't know how much quagga does these days but policies are setup
> correctly on both machines and you are not finding any failed SADB
> lookup warninge in dmesg on the 7 machine?
The security policy is set up using setkey from config in /etc/ipsec.conf:
> ferris# grep xx /etc/ipsec.conf
> add 193.242.111.9 193.242.111.xx tcp 0x1000 -A tcp-md5 "<removed>";
No, there are no failed SADB lookup messages. The kernel code is being
executed, because if I disable md5 from within quagga, the md5 checksum
option completely disappears from the tcp headers. If it's enabled, the
checksum is just zeros.
Nick
More information about the freebsd-net
mailing list