Date: Mon, 27 Mar 2000 21:00:02 -0800 (PST) From: Louis Mamakos <louie@TransSys.COM> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/17606 bad IPSEC and traceroute interaction, with fix! Message-ID: <200003280500.VAA34714@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/17606; it has been noted by GNATS.
From: Louis Mamakos <louie@TransSys.COM>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Re: bin/17606 bad IPSEC and traceroute interaction, with fix!
Date: Mon, 27 Mar 2000 23:52:10 -0500 (EST)
>Submitter-Id: current-users
>Originator: Louis Mamakos
>Organization:
>Confidential: no
>Synopsis: traceroute and kernel-IPSEC policy can interact badly
>Severity: non-critical
>Priority: medium
>Category: bin
>Release: FreeBSD 5.0-CURRENT i386
>Class: sw-bug
>Environment:
FreeBSD 5.0-current, as of 25 March or so. Kernel configured with
IPSEC.
>Description:
When the default kernel IPSEC policy (as configured with setkey(8))
includes all the traffic to a particular host, then attempting a
traceroute to that host fails. The packets being sent are encrypted,
and thus the ICMP time exceeded message cannot be returned.
This is a follow-up to PR bin/17606
>How-To-Repeat:
As described.
>Fix:
Steal the same sort of fix done in traceroute6, and apply to the IPv4
"standard" traceroute in FreeBSD. Patch could be as attached.
Surprisingly, the ipsec.h file is in sys/netinet6 rather than sys/netinet.
Index: contrib/traceroute/traceroute.c
===================================================================
RCS file: /usr/local/FreeBSD/cvs/src/contrib/traceroute/traceroute.c,v
retrieving revision 1.11
diff -u -r1.11 traceroute.c
--- contrib/traceroute/traceroute.c 1999/06/25 21:48:40 1.11
+++ contrib/traceroute/traceroute.c 2000/03/28 04:38:10
@@ -24,7 +24,7 @@
"@(#) Copyright (c) 1988, 1989, 1991, 1994, 1995, 1996\n\
The Regents of the University of California. All rights reserved.\n";
static const char rcsid[] =
- "@(#)$Header: /home/ncvs/src/contrib/traceroute/traceroute.c,v 1.10 1999/05/12 17:28:31 archie Exp $ (LBL)";
+ "@(#)$Header: /usr/local/FreeBSD/cvs/src/contrib/traceroute/traceroute.c,v 1.11 1999/06/25 21:48:40 archie Exp $ (LBL)";
#endif
/*
@@ -217,6 +217,11 @@
#include <arpa/inet.h>
+#ifdef IPSEC
+#include <net/route.h>
+#include <netinet6/ipsec.h> /* XXX */
+#endif /* IPSEC */
+
#include <ctype.h>
#include <errno.h>
#ifdef HAVE_MALLOC_H
@@ -322,6 +327,9 @@
char *getaddr(u_int32_t *, char *);
char *getsin(struct sockaddr_in *, char *);
char *savestr(const char *);
+#ifdef IPSEC
+int setpolicy __P((int so, char *policy));
+#endif
void send_probe(int, int);
void tvsub(struct timeval *, struct timeval *);
__dead void usage(void);
@@ -718,6 +726,14 @@
#endif
}
+#if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
+ if (setpolicy(sndsock, "in bypass") < 0)
+ errx(1, ipsec_strerror());
+
+ if (setpolicy(sndsock, "out bypass") < 0)
+ errx(1, ipsec_strerror());
+#endif /* defined(IPSEC) && defined(IPSEC_POLICY_IPSEC) */
+
Fprintf(stderr, "%s to %s (%s)",
prog, hostname, inet_ntoa(to->sin_addr));
if (source)
@@ -884,6 +900,28 @@
return(cc);
}
+
+#if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
+int
+setpolicy(so, policy)
+ int so;
+ char *policy;
+{
+ char *buf;
+
+ buf = ipsec_set_policy(policy, strlen(policy));
+ if (buf == NULL) {
+ warnx(ipsec_strerror());
+ return -1;
+ }
+ (void)setsockopt(so, IPPROTO_IP, IP_IPSEC_POLICY,
+ buf, ipsec_get_policylen(buf));
+
+ free(buf);
+
+ return 0;
+}
+#endif
void
send_probe(int seq, int ttl)
Index: usr.sbin/traceroute/Makefile
===================================================================
RCS file: /usr/local/FreeBSD/cvs/src/usr.sbin/traceroute/Makefile,v
retrieving revision 1.11
diff -u -r1.11 Makefile
--- usr.sbin/traceroute/Makefile 1999/08/28 01:20:22 1.11
+++ usr.sbin/traceroute/Makefile 2000/03/28 04:33:17
@@ -4,7 +4,7 @@
MAN8= traceroute.8
BINMODE=4555
CFLAGS+=-DHAVE_SYS_SELECT_H=1 -DHAVE_SETLINEBUF=1 -DHAVE_RAW_OPTIONS=1 \
- -DSTDC_HEADERS=1
+ -DSTDC_HEADERS=1 -DIPSEC
# RTT Jitter on the internet these days means printing 3 decimal places on
# > 1000ms times is plain useless. Uncomment this to enable variable precision
# reporting, ie: print a variable precision from 0.001ms through 1000ms
@@ -12,6 +12,8 @@
SRCS= version.c traceroute.c
CLEANFILES+= version.c
+DPADD= ${LIBIPSEC}
+LDADD= -lipsec
TRACEROUTE_DISTDIR?= ${.CURDIR}/../../contrib/traceroute
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200003280500.VAA34714>