Date: Tue, 18 Nov 2008 11:41:10 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Stephen Clark <sclark46@earthlink.net> Cc: freebsd-net@freebsd.org Subject: Re: FreeBSD 6.3 gre and tracerouteo Message-ID: <20081118113823.T61259@maildrop.int.zabbadoz.net> In-Reply-To: <4921DBB4.4060505@earthlink.net> References: <491B2703.4080707@earthlink.net> <491B31F7.30200@elischer.org> <491B4345.80106@earthlink.net> <491B47D2.6010804@elischer.org> <491C2235.4090509@earthlink.net> <1226589468.1976.12.camel@wombat.2hip.net> <491C4EC2.2000802@earthlink.net> <491D6CED.50006@earthlink.net> <491DC28E.80804@elischer.org> <1226688153.1719.23.camel@squirrel.corp.cox.com> <20081115102746.K61259@maildrop.int.zabbadoz.net> <4921DBB4.4060505@earthlink.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 17 Nov 2008, Stephen Clark wrote: Hi, > Bjoern A. Zeeb wrote: >> On Fri, 14 Nov 2008, Robert Noland wrote: >> >> Hi, >> >>>>>> Also just using gre's without the >>>>>> underlying ipsec tunnels seems to >>>>>> work properly. >> >> The reason for this to my knowledge is: >> http://www.kame.net/dev/cvsweb2.cgi/kame/freebsd2/sys/netinet/ip_icmp.c#rev1.4 >> >> or looking at recent freebsd code: >> http://fxr.watson.org/fxr/source/netinet/ip_icmp.c#L164 >> Look for M_DECRYPTED. >> >> Now what happens in your case: >> >> you receive an IPSec ESP packet, which gets decryped, that sets >> M_DECRYPTED on the mbuf passes through various parts, gets up to gre, >> gets decapsulated is an IP packet (again) gets to ip_input, TTL >> expired, icmp_error and it's still the same mbuf that originally got >> the M_DECRYPTED set. Thus the packets is just freed and you never see >> anything. >> >> So thinking about this has nothing to do with gre (or gif for example >> as well) in first place. It's arguably that passing it on to another >> decapsulation the flag should be cleared when entering gre() for >> example. >> >> The other question of course is why we do not send the icmp error back >> even on plain ipsec? Is it because we could possibly leak information >> as it's not caught by the policy sending it back? >> >> /bz >> > Update: > > Adding this code in ip_icmp.c makes the traceroute work. > case IPPROTO_GRE: > hlen += sizeof(struct gre_h); > > + m->m_flags &= ~(M_DECRYPTED); I have two problems with this: 1) my ip_icmp.c doesn't know anything about GRE (in HEAD or on my 6.x box) unless I need more coffee. 2) This obviously doesn't solve the problem for gif(4), ... Can you tell me which brnach you are working against (I guess it's 6.3?) and generate a proper diff? /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081118113823.T61259>