Stuart Henderson <s...@spacehopper.org> writes: > On 2017/02/13 09:54, Jason Tubnor wrote: >> Hi, >> >> Upon implementation of etherip(4) over an iked(8) connection, I had issues >> with passing etherip traffic over the connection. >> >> The -current man page states: >> >> "The sysctl(3) variable net.inet.etherip.allow must be set to 1, unless >> ipsec(4) is being used to protect the traffic." >> >> However, unless net.inet.etherip.allow was set to 1, traffic would not pass >> over the etherip interface even if using ipsec(4). >> >> Digging through the mail archive ( >> http://marc.info/?l=openbsd-misc&w=2&r=1&s=etherip&q=b ), others have had >> this issue: >> >> http://marc.info/?l=openbsd-misc&m=148613113216663&w=2 >> http://marc.info/?l=openbsd-misc&m=147912428400635&w=2 >> >> Which then led me to have a casual look over the code: >> >> /usr/src/sys/net/if_etherip.c >> >> which also leads to: >> >> /usr/src/sys/netinet/ip_ether.c >> >> It appeared to me that if net.inet.etherip.allow=1 was not set, then drop >> the packets. I couldn't see any reference to ipsec(4) traffic in being >> allowed to pass. >> >> Below is a patch to the etherip(4) man page to clarify that >> net.inet.etherip.allow must be set to 1 and remove the reference to >> ipsec(4) if traffic needs to pass on the etherip interface. > > It seems to me that the bug is in the code rather than the manual. > There's not much point in having a sysctl to set whether or not etherip can > be used. But there's very much point in preventing it from being used if your > configured IPsec protection doesn't come up correctly.
Indeed. The diff below fixes this for me (tested with ipsec.conf & IPv4). ok? Index: if_etherip.c =================================================================== RCS file: /d/cvs/src/sys/net/if_etherip.c,v retrieving revision 1.15 diff -u -p -p -u -r1.15 if_etherip.c --- if_etherip.c 7 Mar 2017 23:35:06 -0000 1.15 +++ if_etherip.c 21 Mar 2017 07:08:58 -0000 @@ -423,7 +423,7 @@ ip_etherip_input(struct mbuf **mp, int * return IPPROTO_DONE; } - if (!etherip_allow) { + if (!etherip_allow && (m->m_flags & (M_AUTH|M_CONF)) == 0) { m_freem(m); etheripstat.etherips_pdrops++; return IPPROTO_DONE; @@ -579,7 +579,7 @@ ip6_etherip_input(struct mbuf **mp, int struct ifnet *ifp = NULL; - if (!etherip_allow) { + if (!etherip_allow && (m->m_flags & (M_AUTH|M_CONF)) == 0) { m_freem(m); etheripstat.etherips_pdrops++; return IPPROTO_NONE; -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE