FreeBSD 6.3 gre and tracerouteo
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Tue Nov 18 03:45:09 PST 2008
On Mon, 17 Nov 2008, Stephen Clark wrote:
Hi,
> Bjoern A. Zeeb wrote:
>> On Fri, 14 Nov 2008, Robert Noland wrote:
>>
>> Hi,
>>
>>>>>> Also just using gre's without the
>>>>>> underlying ipsec tunnels seems to
>>>>>> work properly.
>>
>> The reason for this to my knowledge is:
>> http://www.kame.net/dev/cvsweb2.cgi/kame/freebsd2/sys/netinet/ip_icmp.c#rev1.4
>>
>> or looking at recent freebsd code:
>> http://fxr.watson.org/fxr/source/netinet/ip_icmp.c#L164
>> Look for M_DECRYPTED.
>>
>> Now what happens in your case:
>>
>> you receive an IPSec ESP packet, which gets decryped, that sets
>> M_DECRYPTED on the mbuf passes through various parts, gets up to gre,
>> gets decapsulated is an IP packet (again) gets to ip_input, TTL
>> expired, icmp_error and it's still the same mbuf that originally got
>> the M_DECRYPTED set. Thus the packets is just freed and you never see
>> anything.
>>
>> So thinking about this has nothing to do with gre (or gif for example
>> as well) in first place. It's arguably that passing it on to another
>> decapsulation the flag should be cleared when entering gre() for
>> example.
>>
>> The other question of course is why we do not send the icmp error back
>> even on plain ipsec? Is it because we could possibly leak information
>> as it's not caught by the policy sending it back?
>>
>> /bz
>>
> Update:
>
> Adding this code in ip_icmp.c makes the traceroute work.
> case IPPROTO_GRE:
> hlen += sizeof(struct gre_h);
>
> + m->m_flags &= ~(M_DECRYPTED);
I have two problems with this:
1) my ip_icmp.c doesn't know anything about GRE (in HEAD or on my 6.x
box) unless I need more coffee.
2) This obviously doesn't solve the problem for gif(4), ...
Can you tell me which brnach you are working against (I guess it's
6.3?) and generate a proper diff?
/bz
--
Bjoern A. Zeeb Stop bit received. Insert coin for new game.
More information about the freebsd-net
mailing list