Date: Sat, 22 Jun 2013 04:21:39 GMT From: John Wehle <john@feith.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/179829: net/route.c 248895 breaks some VPNs Message-ID: <201306220421.r5M4LdAX096957@oldred.freebsd.org> Resent-Message-ID: <201306220430.r5M4U0On099187@freefall.freebsd.org>
index | next in thread | raw e-mail
>Number: 179829
>Category: kern
>Synopsis: net/route.c 248895 breaks some VPNs
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Jun 22 04:30:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: John Wehle
>Release: FreeBSD 9.1-STABLE 252047M
>Organization:
>Environment:
FreeBSD carmen.FEITH.COM 9.1-STABLE FreeBSD 9.1-STABLE #1 r235103:252047M: Fri Jun 21 23:31:53 EDT 2013 root@wagner.FEITH.COM:/usr/obj/amd64.amd64/usr/src/sys/CUSTOM amd64
>Description:
Have been using mpd to maintain a VPN for years. The link up
script does:
/sbin/route add -host "${REMOTE}" "${DEFAULT}"
/sbin/route add -net "${REMOTE}/24" -interface "${IFACE}"
where REMOTE = 192.251.93.62, DEFAULT = 71.224.208.1, IFACE = ng0.
This normally produces a routing table such as:
Destination Gateway Flags Refs Use Netif Expire
default 71.224.208.1 UGS 0 45 ale0
71.224.208.0/21 link#2 U 0 0 ale0
71.224.209.156 link#2 UHS 0 0 lo0
192.251.93.62 71.224.208.1 UGHS 0 118 ale0
192.251.93.165 link#13 UHS 0 0 lo0
192.251.93.0/24 ng0 US 0 82 ng0
The latest change to net/route.c produces a routing table such as:
Destination Gateway Flags Refs Use Netif Expire
default 71.224.208.1 UGS 0 557 ale0
71.224.208.0/21 link#2 U 0 0 ale0
71.224.209.156 link#2 UHS 0 0 lo0
192.251.93.62 link#13 UH 0 10 ng0
192.251.93.165 link#13 UHS 0 0 lo0
192.251.93.0/24 ng0 US 0 0 ng0
Specifically note that the remote VPN endpoint (192.251.93.62) is no
longer accessed through the correct interface. Instead a loop is
created ... packets to 192.251.93.62 are routed through ng0 which
generates encapsulated packets going to 192.251.93.62 which are
routed through ng0 ....
An explict route table entry for a host should have a higher priorty than
a route table entry for a net.
>How-To-Repeat:
Configure a VPN where the remote endpoint is on the same network as the
the remote network being accessed over the VPN. Use route to add an
explict route for the remote VPN endpoint and a separate route for the
remote VPN network. Notice that the VPN endpoint gets routed over the
VPN interface thus creating a loop.
>Fix:
Replacing net/route.c 248895 with net/route.c 235103 fixes the problem.
>Release-Note:
>Audit-Trail:
>Unformatted:
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201306220421.r5M4LdAX096957>