Date: Mon, 17 Nov 2008 16:01:40 -0500 From: Stephen Clark <sclark46@earthlink.net> To: freebsd-net@freebsd.org Cc: FreeBSD Stable <freebsd-stable@freebsd.org> Subject: Re: FreeBSD 6.3 gre and traceroute Message-ID: <4921DBB4.4060505@earthlink.net> In-Reply-To: <20081115102746.K61259@maildrop.int.zabbadoz.net> References: <491B2703.4080707@earthlink.net> <491B31F7.30200@elischer.org> <491B4345.80106@earthlink.net> <491B47D2.6010804@elischer.org> <491C2235.4090509@earthlink.net> <1226589468.1976.12.camel@wombat.2hip.net> <491C4EC2.2000802@earthlink.net> <491D6CED.50006@earthlink.net> <491DC28E.80804@elischer.org> <1226688153.1719.23.camel@squirrel.corp.cox.com> <20081115102746.K61259@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Bjoern A. Zeeb wrote: > On Fri, 14 Nov 2008, Robert Noland wrote: > > Hi, > >>>>> Also just using gre's without the >>>>> underlying ipsec tunnels seems to >>>>> work properly. > > The reason for this to my knowledge is: > http://www.kame.net/dev/cvsweb2.cgi/kame/freebsd2/sys/netinet/ip_icmp.c#rev1.4 > > > or looking at recent freebsd code: > http://fxr.watson.org/fxr/source/netinet/ip_icmp.c#L164 > Look for M_DECRYPTED. > > Now what happens in your case: > > you receive an IPSec ESP packet, which gets decryped, that sets > M_DECRYPTED on the mbuf passes through various parts, gets up to gre, > gets decapsulated is an IP packet (again) gets to ip_input, TTL > expired, icmp_error and it's still the same mbuf that originally got > the M_DECRYPTED set. Thus the packets is just freed and you never see > anything. > > So thinking about this has nothing to do with gre (or gif for example > as well) in first place. It's arguably that passing it on to another > decapsulation the flag should be cleared when entering gre() for > example. > > The other question of course is why we do not send the icmp error back > even on plain ipsec? Is it because we could possibly leak information > as it's not caught by the policy sending it back? > > /bz > Update: Adding this code in ip_icmp.c makes the traceroute work. case IPPROTO_GRE: hlen += sizeof(struct gre_h); + m->m_flags &= ~(M_DECRYPTED); Steve -- "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety." (Ben Franklin) "The course of history shows that as a government grows, liberty decreases." (Thomas Jefferson)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4921DBB4.4060505>