From owner-freebsd-stable@FreeBSD.ORG  Thu Dec 11 07:03:05 2003
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1167D16A4CE
	for <stable@freebsd.org>; Thu, 11 Dec 2003 07:03:05 -0800 (PST)
Received: from smtp.atlantis.dp.ua (smtp.atlantis.dp.ua [193.108.46.231])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 50DE743D1D
	for <stable@freebsd.org>; Thu, 11 Dec 2003 07:03:02 -0800 (PST)
	(envelope-from dmitry@atlantis.dp.ua)
Received: from smtp.atlantis.dp.ua (smtp.atlantis.dp.ua [193.108.46.231])
	by smtp.atlantis.dp.ua (8.12.6p2/8.12.6) with ESMTP id hBBF2tjN093516
	for <stable@freebsd.org>; Thu, 11 Dec 2003 17:02:55 +0200 (EET)
	(envelope-from dmitry@atlantis.dp.ua)
Date: Thu, 11 Dec 2003 17:02:55 +0200 (EET)
From: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua>
To: stable@freebsd.org
Message-ID: <20031211165422.D90261@atlantis.atlantis.dp.ua>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: ipfw fwd to gif interface
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Dec 2003 15:03:05 -0000


Hello!

> From:      Andrey Lakhno <land@dnepr.net>
>
> I'v tried to forward all traffic incoming on the interface (tun0) to another
> one (gif0). And got following kernel message:
> gif_output: recursively called too many times(2)
>
> My configuration:
>
> # ifconfig gif0
> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
>	tunnel inet x.x.x.x --> y.y.y.y
>	inet 10.249.1.5 --> 10.249.1.6 netmask 0xfffffffc
>
> x.x.x.x is on fxp0, y.y.y.y is on cisco router
>
> Traffic is forwarded by the following rule:
> # ipfw add fwd 10.249.1.6 ip from any to any out recv tun0
>
> Packets matched by this rule, but nothing was going out gif0.

 Of course, you've created forwarding loop. After getting encapsulated,
packets travel through ipfw again, and they obviously have the same receive
interface (tun0), so your rule forwarding them back to gif0. You should pass
encapsulated traffic before forwarding non-encapsulated one:

ipfw add 1010 pass ipencap from x.x.x.x to y.y.y.y
ipfw add 1020 fwd 10.249.1.6 ip from any to any out recv tun0

You may want to replace "pass" with "skipto 1030" if you want to shape or
count ipencap traffic after these rules.

Sincerely, Dmitry
-- 
Atlantis ISP, System Administrator
e-mail:  dmitry@atlantis.dp.ua
nic-hdl: LYNX-RIPE