FreeBSD 6.3 gre and traceroute

Bjoern A. Zeeb bzeeb-lists at
Sat Nov 15 02:40:18 PST 2008

On Fri, 14 Nov 2008, Robert Noland wrote:


>>>> Also just using gre's without the
>>>> underlying ipsec tunnels seems to
>>>> work properly.

The reason for this to my knowledge is:

or looking at recent freebsd code:

Now what happens in your case:

you receive an IPSec ESP packet, which gets decryped, that sets
M_DECRYPTED on the mbuf passes through various parts, gets up to gre,
gets decapsulated is an IP packet (again) gets to ip_input, TTL
expired, icmp_error and it's still the same mbuf that originally got
the M_DECRYPTED set. Thus the packets is just freed and you never see

So thinking about this has nothing to do with gre (or gif for example
as well) in first place. It's arguably that passing it on to another
decapsulation the flag should be cleared when entering gre() for

The other question of course is why we do not send the icmp error back
even on plain ipsec? Is it because we could possibly leak information
as it's not caught by the policy sending it back?


Bjoern A. Zeeb              Stop bit received. Insert coin for new game.

More information about the freebsd-net mailing list