FreeBSD 6.3 gre and tracerouteo

Bjoern A. Zeeb bzeeb-lists at
Tue Nov 18 03:45:09 PST 2008

On Mon, 17 Nov 2008, Stephen Clark wrote:


> Bjoern A. Zeeb wrote:
>> On Fri, 14 Nov 2008, Robert Noland wrote:
>> Hi,
>>>>>> Also just using gre's without the
>>>>>> underlying ipsec tunnels seems to
>>>>>> work properly.
>> The reason for this to my knowledge is:
>> or looking at recent freebsd code:
>> Look for M_DECRYPTED.
>> Now what happens in your case:
>> you receive an IPSec ESP packet, which gets decryped, that sets
>> M_DECRYPTED on the mbuf passes through various parts, gets up to gre,
>> gets decapsulated is an IP packet (again) gets to ip_input, TTL
>> expired, icmp_error and it's still the same mbuf that originally got
>> the M_DECRYPTED set. Thus the packets is just freed and you never see
>> anything.
>> So thinking about this has nothing to do with gre (or gif for example
>> as well) in first place. It's arguably that passing it on to another
>> decapsulation the flag should be cleared when entering gre() for
>> example.
>> The other question of course is why we do not send the icmp error back
>> even on plain ipsec? Is it because we could possibly leak information
>> as it's not caught by the policy sending it back?
>> /bz
> Update:
> Adding this code in ip_icmp.c makes the traceroute work.
> 	case IPPROTO_GRE:
> 		hlen += sizeof(struct gre_h);
> +        m->m_flags &= ~(M_DECRYPTED);

I have two problems with this:

1) my ip_icmp.c doesn't know anything about GRE (in HEAD or on my 6.x
    box) unless I need more coffee.

2) This obviously doesn't solve the problem for gif(4), ...

Can you tell me which brnach you are working against (I guess it's
6.3?) and generate a proper diff?


Bjoern A. Zeeb              Stop bit received. Insert coin for new game.

More information about the freebsd-net mailing list