From owner-freebsd-bugs Mon Mar 27 21: 0: 7 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id E0CEA37BB7A for ; Mon, 27 Mar 2000 21:00:02 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id VAA34714; Mon, 27 Mar 2000 21:00:02 -0800 (PST) (envelope-from gnats@FreeBSD.org) Date: Mon, 27 Mar 2000 21:00:02 -0800 (PST) Message-Id: <200003280500.VAA34714@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Louis Mamakos Subject: Re: bin/17606 bad IPSEC and traceroute interaction, with fix! Reply-To: Louis Mamakos Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR bin/17606; it has been noted by GNATS. From: Louis Mamakos To: FreeBSD-gnats-submit@freebsd.org Cc: Subject: Re: bin/17606 bad IPSEC and traceroute interaction, with fix! Date: Mon, 27 Mar 2000 23:52:10 -0500 (EST) >Submitter-Id: current-users >Originator: Louis Mamakos >Organization: >Confidential: no >Synopsis: traceroute and kernel-IPSEC policy can interact badly >Severity: non-critical >Priority: medium >Category: bin >Release: FreeBSD 5.0-CURRENT i386 >Class: sw-bug >Environment: FreeBSD 5.0-current, as of 25 March or so. Kernel configured with IPSEC. >Description: When the default kernel IPSEC policy (as configured with setkey(8)) includes all the traffic to a particular host, then attempting a traceroute to that host fails. The packets being sent are encrypted, and thus the ICMP time exceeded message cannot be returned. This is a follow-up to PR bin/17606 >How-To-Repeat: As described. >Fix: Steal the same sort of fix done in traceroute6, and apply to the IPv4 "standard" traceroute in FreeBSD. Patch could be as attached. Surprisingly, the ipsec.h file is in sys/netinet6 rather than sys/netinet. Index: contrib/traceroute/traceroute.c =================================================================== RCS file: /usr/local/FreeBSD/cvs/src/contrib/traceroute/traceroute.c,v retrieving revision 1.11 diff -u -r1.11 traceroute.c --- contrib/traceroute/traceroute.c 1999/06/25 21:48:40 1.11 +++ contrib/traceroute/traceroute.c 2000/03/28 04:38:10 @@ -24,7 +24,7 @@ "@(#) Copyright (c) 1988, 1989, 1991, 1994, 1995, 1996\n\ The Regents of the University of California. All rights reserved.\n"; static const char rcsid[] = - "@(#)$Header: /home/ncvs/src/contrib/traceroute/traceroute.c,v 1.10 1999/05/12 17:28:31 archie Exp $ (LBL)"; + "@(#)$Header: /usr/local/FreeBSD/cvs/src/contrib/traceroute/traceroute.c,v 1.11 1999/06/25 21:48:40 archie Exp $ (LBL)"; #endif /* @@ -217,6 +217,11 @@ #include +#ifdef IPSEC +#include +#include /* XXX */ +#endif /* IPSEC */ + #include #include #ifdef HAVE_MALLOC_H @@ -322,6 +327,9 @@ char *getaddr(u_int32_t *, char *); char *getsin(struct sockaddr_in *, char *); char *savestr(const char *); +#ifdef IPSEC +int setpolicy __P((int so, char *policy)); +#endif void send_probe(int, int); void tvsub(struct timeval *, struct timeval *); __dead void usage(void); @@ -718,6 +726,14 @@ #endif } +#if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC) + if (setpolicy(sndsock, "in bypass") < 0) + errx(1, ipsec_strerror()); + + if (setpolicy(sndsock, "out bypass") < 0) + errx(1, ipsec_strerror()); +#endif /* defined(IPSEC) && defined(IPSEC_POLICY_IPSEC) */ + Fprintf(stderr, "%s to %s (%s)", prog, hostname, inet_ntoa(to->sin_addr)); if (source) @@ -884,6 +900,28 @@ return(cc); } + +#if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC) +int +setpolicy(so, policy) + int so; + char *policy; +{ + char *buf; + + buf = ipsec_set_policy(policy, strlen(policy)); + if (buf == NULL) { + warnx(ipsec_strerror()); + return -1; + } + (void)setsockopt(so, IPPROTO_IP, IP_IPSEC_POLICY, + buf, ipsec_get_policylen(buf)); + + free(buf); + + return 0; +} +#endif void send_probe(int seq, int ttl) Index: usr.sbin/traceroute/Makefile =================================================================== RCS file: /usr/local/FreeBSD/cvs/src/usr.sbin/traceroute/Makefile,v retrieving revision 1.11 diff -u -r1.11 Makefile --- usr.sbin/traceroute/Makefile 1999/08/28 01:20:22 1.11 +++ usr.sbin/traceroute/Makefile 2000/03/28 04:33:17 @@ -4,7 +4,7 @@ MAN8= traceroute.8 BINMODE=4555 CFLAGS+=-DHAVE_SYS_SELECT_H=1 -DHAVE_SETLINEBUF=1 -DHAVE_RAW_OPTIONS=1 \ - -DSTDC_HEADERS=1 + -DSTDC_HEADERS=1 -DIPSEC # RTT Jitter on the internet these days means printing 3 decimal places on # > 1000ms times is plain useless. Uncomment this to enable variable precision # reporting, ie: print a variable precision from 0.001ms through 1000ms @@ -12,6 +12,8 @@ SRCS= version.c traceroute.c CLEANFILES+= version.c +DPADD= ${LIBIPSEC} +LDADD= -lipsec TRACEROUTE_DISTDIR?= ${.CURDIR}/../../contrib/traceroute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message