From owner-freebsd-net@FreeBSD.ORG Thu Nov 27 14:55:07 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F09551065673 for ; Thu, 27 Nov 2008 14:55:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id AB1A28FC19 for ; Thu, 27 Nov 2008 14:55:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 25EB141C66F; Thu, 27 Nov 2008 15:55:06 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id 08AOMH9QpJ7S; Thu, 27 Nov 2008 15:55:05 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id B6BC041C667; Thu, 27 Nov 2008 15:55:05 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 6CAAF4448D5; Thu, 27 Nov 2008 14:53:58 +0000 (UTC) Date: Thu, 27 Nov 2008 14:53:58 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Frank Behrens In-Reply-To: <200811271425.mAREPSwm004057@post.behrens.de> Message-ID: <20081127143300.M61259@maildrop.int.zabbadoz.net> References: <200811271425.mAREPSwm004057@post.behrens.de> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org Subject: Re: Problem with new source address selection (was Anyone interested in jail patches?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Nov 2008 14:55:08 -0000 On Thu, 27 Nov 2008, Frank Behrens wrote: >> 2b) for RELENG_7: >> http://people.freebsd.org/~bz/bz_jail7-20081126-02-at153644.diff > > With this patch I received a new source selection implementation, I > believe the same as announced for HEAD. Here I found a problem. HEAD has had it since beginning of October and older jail patches also had it for a while now. > One of my machines tunnels a private subnet via IPSEC (esp/tunnel). > Lets assume my private subnet is 192.168.90.0/24 and the "foreign" > subnet is 192.168.200.0/24. When I send packets via this tunnel I > must ensure the right source address, because the machine has several > interfaces. (BTW: this is so easy with openvpn and real routing, but > sometimes other people decide..) An easy solution was for me > ifconfig lo2 inet 192.168.90.254/32 > route add -net 192.168.200.0/24 -iface lo2 > The route is a "dummy" route only, because the IPSEC SPD determines > the packet flow. Yes I know that hack though I never actually used it with a loopback as the loopback case is *uhm* gross. You know you are telling the kernel to actually send the packets to yourself which so far has just worked more or less out of luck in my eyes. So is your 192.168.90.0/24 on any other interface but the lo2? Is it the only network on that interface or are there aliases? > This worked well in the past, but not with your patch. On connect(2) > call for the tunneled subnet I receive always "Network unreachable". > The following _wild hack_(tm) solves the problem _for me_, it is only > to show the problem to you: >From the code down I take it that the connect(2) call happens outside any jail and not within a jail, right? > --- sys/netinet/in_pcb.c.orig 2008-11-27 14:57:25.887082927 +0100 > +++ sys/netinet/in_pcb.c 2008-11-27 14:29:28.918257601 +0100 > @@ -697,6 +697,9 @@ in_pcbladdr(struct inpcb *inp, struct in > ia = ifatoia(ifa_ifwithnet(sintosa(&sain))); > > if (cred == NULL || !jailed(cred)) { > +// FB2008-11-27 > + ia = (struct in_ifaddr *)sro.ro_rt->rt_ifa; > +// FB > if (ia == NULL) { > error = ENETUNREACH; > goto done; > > Can you provide a patch to solve the connect problem? > Is there a better solution to setup source address selection for > IPSEC tunnels? Let me answer those later; in case you cannot reveal your network setup in public; contact me offlist. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game.