Bug 194761 - [gif][ipsec][regression] tunnel with linux partially broken after r273859
Summary: [gif][ipsec][regression] tunnel with linux partially broken after r273859
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 10.0-STABLE
Hardware: amd64 Any
: --- Affects Some People
Assignee: Andrey V. Elsukov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-02 16:41 UTC by dmitry2004
Modified: 2014-11-05 09:26 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description dmitry2004 2014-11-02 16:41:28 UTC
My system FreeBSD 10.1-PRERELEASE (system1).

I have tunnel to FreeBSD 9.3-STABLE r270954 (gif1) (system2)
and to Gentoo Linux, Kernel 3.16 and 3.17, ipsec-tools 0.8.2 (gif2) (system3).

Both encrypted by IPSEC.

I check worked revision r273453 and check broken revision r273960.

Tunnel (gif1) to FreeBSD 9.3-STABLE work with r273453 and r273960.
Tunnel (gif2) to Gentoo Linux, Kernel 3.16 and 3.17 work with r273453 and broken with r273960.

Not work connection to gateway services and ping from FreeBSD (system1) to Linux (system3). Connection and ping from FreeBSD (sytem1) LAN work fine.
Ping from Linux (system3) to FreeBSD (system1) work.
Comment 1 commit-hook freebsd_committer 2014-11-05 09:24:05 UTC
A commit references this bug:

Author: ae
Date: Wed Nov  5 09:23:31 UTC 2014
New revision: 274132
URL: https://svnweb.freebsd.org/changeset/base/274132

Log:
  MFC r266800 by vanhu:
    IPv4-in-IPv6 and IPv6-in-IPv4 IPsec tunnels.
    For IPv6-in-IPv4, you may need to do the following command
    on the tunnel interface if it is configured as IPv4 only:
    ifconfig <interface> inet6 -ifdisabled

    Code logic inspired from NetBSD.
    PR: kern/169438

  MC r266822 by bz:
    Use IPv4 statistics in ipsec4_process_packet() rather than the IPv6
    version.  This also unbreaks the NOINET6 builds after r266800.

  MFC r268083 by zec:
    The assumption in ipsec4_process_packet() that the payload may be
    only IPv4 is wrong, so check the IP version before mangling the
    payload header.

  MFC r272394:
    Do not strip outer header when operating in transport mode.
    Instead requeue mbuf back to IPv4 protocol handler. If there is one extra IP-IP
    encapsulation, it will be handled with tunneling interface. And thus proper
    interface will be exposed into mbuf's rcvif. Also, tcpdump that listens on tunneling
    interface will see packets in both directions.

  PR:		194761

Changes:
_U  stable/10/
  stable/10/sys/netinet6/ip6_forward.c
  stable/10/sys/netinet6/ip6_ipsec.c
  stable/10/sys/netinet6/ip6_ipsec.h
  stable/10/sys/netinet6/ip6_output.c
  stable/10/sys/netinet6/ip6_var.h
  stable/10/sys/netipsec/ipsec6.h
  stable/10/sys/netipsec/ipsec_input.c
  stable/10/sys/netipsec/ipsec_output.c
  stable/10/sys/netipsec/xform_ipip.c