From owner-freebsd-net@FreeBSD.ORG Tue Nov 18 11:45:09 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8D6411065674 for ; Tue, 18 Nov 2008 11:45:09 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 440DC8FC26 for ; Tue, 18 Nov 2008 11:45:09 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 57C1B41C65F; Tue, 18 Nov 2008 12:45:07 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id 9rBR6sorcQfF; Tue, 18 Nov 2008 12:45:05 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id 9D1A241C64C; Tue, 18 Nov 2008 12:45:05 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 71325444888; Tue, 18 Nov 2008 11:41:10 +0000 (UTC) Date: Tue, 18 Nov 2008 11:41:10 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Stephen Clark In-Reply-To: <4921DBB4.4060505@earthlink.net> Message-ID: <20081118113823.T61259@maildrop.int.zabbadoz.net> References: <491B2703.4080707@earthlink.net> <491B31F7.30200@elischer.org> <491B4345.80106@earthlink.net> <491B47D2.6010804@elischer.org> <491C2235.4090509@earthlink.net> <1226589468.1976.12.camel@wombat.2hip.net> <491C4EC2.2000802@earthlink.net> <491D6CED.50006@earthlink.net> <491DC28E.80804@elischer.org> <1226688153.1719.23.camel@squirrel.corp.cox.com> <20081115102746.K61259@maildrop.int.zabbadoz.net> <4921DBB4.4060505@earthlink.net> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org Subject: Re: FreeBSD 6.3 gre and tracerouteo X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2008 11:45:09 -0000 On Mon, 17 Nov 2008, Stephen Clark wrote: Hi, > Bjoern A. Zeeb wrote: >> On Fri, 14 Nov 2008, Robert Noland wrote: >> >> Hi, >> >>>>>> Also just using gre's without the >>>>>> underlying ipsec tunnels seems to >>>>>> work properly. >> >> The reason for this to my knowledge is: >> http://www.kame.net/dev/cvsweb2.cgi/kame/freebsd2/sys/netinet/ip_icmp.c#rev1.4 >> >> or looking at recent freebsd code: >> http://fxr.watson.org/fxr/source/netinet/ip_icmp.c#L164 >> Look for M_DECRYPTED. >> >> Now what happens in your case: >> >> you receive an IPSec ESP packet, which gets decryped, that sets >> M_DECRYPTED on the mbuf passes through various parts, gets up to gre, >> gets decapsulated is an IP packet (again) gets to ip_input, TTL >> expired, icmp_error and it's still the same mbuf that originally got >> the M_DECRYPTED set. Thus the packets is just freed and you never see >> anything. >> >> So thinking about this has nothing to do with gre (or gif for example >> as well) in first place. It's arguably that passing it on to another >> decapsulation the flag should be cleared when entering gre() for >> example. >> >> The other question of course is why we do not send the icmp error back >> even on plain ipsec? Is it because we could possibly leak information >> as it's not caught by the policy sending it back? >> >> /bz >> > Update: > > Adding this code in ip_icmp.c makes the traceroute work. > case IPPROTO_GRE: > hlen += sizeof(struct gre_h); > > + m->m_flags &= ~(M_DECRYPTED); I have two problems with this: 1) my ip_icmp.c doesn't know anything about GRE (in HEAD or on my 6.x box) unless I need more coffee. 2) This obviously doesn't solve the problem for gif(4), ... Can you tell me which brnach you are working against (I guess it's 6.3?) and generate a proper diff? /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game.