From owner-freebsd-net@FreeBSD.ORG Tue Nov 27 10:52:48 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 27F8016A49C for ; Tue, 27 Nov 2007 10:52:48 +0000 (UTC) (envelope-from nick-lists@netability.ie) Received: from mail.acquirer.com (mail.acquirer.com [87.198.142.10]) by mx1.freebsd.org (Postfix) with ESMTP id 9F94913C4D5 for ; Tue, 27 Nov 2007 10:52:46 +0000 (UTC) (envelope-from nick-lists@netability.ie) X-Envelope-To: freebsd-net@freebsd.org Received: from crumpet.foobar.org (vpn-251.int.inex.ie [193.242.111.251]) (authenticated bits=0) by mail.acquirer.com (8.13.6/8.13.8) with ESMTP id lARAqbWp041289 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Nov 2007 10:52:39 GMT (envelope-from nick-lists@netability.ie) Message-ID: <474BF6F3.2070506@netability.ie> Date: Tue, 27 Nov 2007 10:52:35 +0000 From: Nick Hilliard User-Agent: Thunderbird 2.0.0.9 (Macintosh/20071031) MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <474B24F3.2030603@netability.ie> <20071126224649.C53707@maildrop.int.zabbadoz.net> In-Reply-To: <20071126224649.C53707@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham version=3.2.1 X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on muffin.acquirer.com X-Virus-Scanned: ClamAV 0.91.2/4930/Tue Nov 27 09:03:33 2007 on muffin.acquirer.com X-Virus-Status: Clean Cc: freebsd-net@freebsd.org Subject: Re: tcp md5 checksums broken in 7.0-beta3 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2007 10:52:48 -0000 Bjoern A. Zeeb wrote: > not that this should fix your problem but you might want to start with > this patch: > > http://sources.zabbadoz.net/freebsd/patchset/sys-netinet-tcp-syncache.c-20071126-01.diff No, probably not. But it may fix a bunch of spurious failed SADB lookup messages I've been seeing on the box in question. > I'll try to find your bug the next days (in case you find anything let > me know). > > I don't know how much quagga does these days but policies are setup > correctly on both machines and you are not finding any failed SADB > lookup warninge in dmesg on the 7 machine? The security policy is set up using setkey from config in /etc/ipsec.conf: > ferris# grep xx /etc/ipsec.conf > add 193.242.111.9 193.242.111.xx tcp 0x1000 -A tcp-md5 ""; No, there are no failed SADB lookup messages. The kernel code is being executed, because if I disable md5 from within quagga, the md5 checksum option completely disappears from the tcp headers. If it's enabled, the checksum is just zeros. Nick