From owner-freebsd-net@FreeBSD.ORG Thu Nov 27 14:25:46 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 009C21065674 for ; Thu, 27 Nov 2008 14:25:46 +0000 (UTC) (envelope-from frank@harz.behrens.de) Received: from post.behrens.de (post.behrens.de [IPv6:2a01:170:1023::1:2]) by mx1.freebsd.org (Postfix) with ESMTP id 517DD8FC0A for ; Thu, 27 Nov 2008 14:25:44 +0000 (UTC) (envelope-from frank@harz.behrens.de) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=behrens.de; h=from:to:date:mime-version:subject:in-reply-to:content-type:content-transfer-encoding:content-description; s=pinky1; t=1227795942; i=frank@harz.behrens.de; bh=mfyG6uw4eeTZnVDmGQfyFLiX5QZSSTmmUv3HQuV9mC0=; b=hcyQUOUEVNyUvKbI5EhymfyYDd2sR6h4lYt+M7opY4rEioloZWBevAOmvV+Y45uJRE4WfIi9WL8HdEWAkGEx8g== Received: from sun.behrens ([IPv6:2a01:170:1023:0:293a:5717:e088:4f7a]) by post.behrens.de (8.14.3/8.14.2) with ESMTP(MSA) id mAREPSwm004057 for ; Thu, 27 Nov 2008 15:25:28 +0100 (CET) (envelope-from frank@harz.behrens.de) Message-Id: <200811271425.mAREPSwm004057@post.behrens.de> From: "Frank Behrens" To: freebsd-net@freebsd.org Date: Thu, 27 Nov 2008 15:25:28 +0100 MIME-Version: 1.0 Priority: normal In-reply-to: <20081126234502.S61259@maildrop.int.zabbadoz.net> X-mailer: Pegasus Mail for Windows (4.31, DE v4.31 R1) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Hashcash: 1:23:081127:freebsd-net@freebsd.org::rt8pKNc098YZtoqj:000000000012Tcn Subject: Problem with new source address selection (was Anyone interested in jail patches?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Nov 2008 14:25:46 -0000 Bjoern A. Zeeb wrote on 26 Nov 2008 23:56: > If you are interested in a new set of jail patches... anyone?;-) Yes, but about jail specific things I'll write later, in another mail and on another list. > 2b) for RELENG_7: > http://people.freebsd.org/~bz/bz_jail7-20081126-02-at153644.diff With this patch I received a new source selection implementation, I believe the same as announced for HEAD. Here I found a problem. One of my machines tunnels a private subnet via IPSEC (esp/tunnel). Lets assume my private subnet is 192.168.90.0/24 and the "foreign" subnet is 192.168.200.0/24. When I send packets via this tunnel I must ensure the right source address, because the machine has several interfaces. (BTW: this is so easy with openvpn and real routing, but sometimes other people decide..) An easy solution was for me ifconfig lo2 inet 192.168.90.254/32 route add -net 192.168.200.0/24 -iface lo2 The route is a "dummy" route only, because the IPSEC SPD determines the packet flow. This worked well in the past, but not with your patch. On connect(2) call for the tunneled subnet I receive always "Network unreachable". The following _wild hack_(tm) solves the problem _for me_, it is only to show the problem to you: --- sys/netinet/in_pcb.c.orig 2008-11-27 14:57:25.887082927 +0100 +++ sys/netinet/in_pcb.c 2008-11-27 14:29:28.918257601 +0100 @@ -697,6 +697,9 @@ in_pcbladdr(struct inpcb *inp, struct in ia = ifatoia(ifa_ifwithnet(sintosa(&sain))); if (cred == NULL || !jailed(cred)) { +// FB2008-11-27 + ia = (struct in_ifaddr *)sro.ro_rt->rt_ifa; +// FB if (ia == NULL) { error = ENETUNREACH; goto done; Can you provide a patch to solve the connect problem? Is there a better solution to setup source address selection for IPSEC tunnels? Regards, Frank -- Frank Behrens, Osterwieck, Germany PGP-key 0x5B7C47ED on public servers available.