On 21 March 2017 at 09:52, Jeremie Courreges-Anglas <j...@wxcvbn.org> wrote: > Stuart Henderson <s...@spacehopper.org> writes: > >> On 2017/02/13 09:54, Jason Tubnor wrote: >>> Hi, >>> >>> Upon implementation of etherip(4) over an iked(8) connection, I had issues >>> with passing etherip traffic over the connection. >>> >>> The -current man page states: >>> >>> "The sysctl(3) variable net.inet.etherip.allow must be set to 1, unless >>> ipsec(4) is being used to protect the traffic." >>> >>> However, unless net.inet.etherip.allow was set to 1, traffic would not pass >>> over the etherip interface even if using ipsec(4). >>> >>> Digging through the mail archive ( >>> http://marc.info/?l=openbsd-misc&w=2&r=1&s=etherip&q=b ), others have had >>> this issue: >>> >>> http://marc.info/?l=openbsd-misc&m=148613113216663&w=2 >>> http://marc.info/?l=openbsd-misc&m=147912428400635&w=2 >>> >>> Which then led me to have a casual look over the code: >>> >>> /usr/src/sys/net/if_etherip.c >>> >>> which also leads to: >>> >>> /usr/src/sys/netinet/ip_ether.c >>> >>> It appeared to me that if net.inet.etherip.allow=1 was not set, then drop >>> the packets. I couldn't see any reference to ipsec(4) traffic in being >>> allowed to pass. >>> >>> Below is a patch to the etherip(4) man page to clarify that >>> net.inet.etherip.allow must be set to 1 and remove the reference to >>> ipsec(4) if traffic needs to pass on the etherip interface. >> >> It seems to me that the bug is in the code rather than the manual. >> There's not much point in having a sysctl to set whether or not etherip can >> be used. But there's very much point in preventing it from being used if your >> configured IPsec protection doesn't come up correctly. > > Indeed. The diff below fixes this for me (tested with ipsec.conf & > IPv4). > > ok? >
OK mikeb. This is in line with what other parts are doing. However I'd like to see the knob removed after 6.1.