On 2017/02/13 09:54, Jason Tubnor wrote: > Hi, > > Upon implementation of etherip(4) over an iked(8) connection, I had issues > with passing etherip traffic over the connection. > > The -current man page states: > > "The sysctl(3) variable net.inet.etherip.allow must be set to 1, unless > ipsec(4) is being used to protect the traffic." > > However, unless net.inet.etherip.allow was set to 1, traffic would not pass > over the etherip interface even if using ipsec(4). > > Digging through the mail archive ( > http://marc.info/?l=openbsd-misc&w=2&r=1&s=etherip&q=b ), others have had > this issue: > > http://marc.info/?l=openbsd-misc&m=148613113216663&w=2 > http://marc.info/?l=openbsd-misc&m=147912428400635&w=2 > > Which then led me to have a casual look over the code: > > /usr/src/sys/net/if_etherip.c > > which also leads to: > > /usr/src/sys/netinet/ip_ether.c > > It appeared to me that if net.inet.etherip.allow=1 was not set, then drop > the packets. I couldn't see any reference to ipsec(4) traffic in being > allowed to pass. > > Below is a patch to the etherip(4) man page to clarify that > net.inet.etherip.allow must be set to 1 and remove the reference to > ipsec(4) if traffic needs to pass on the etherip interface.
It seems to me that the bug is in the code rather than the manual. There's not much point in having a sysctl to set whether or not etherip can be used. But there's very much point in preventing it from being used if your configured IPsec protection doesn't come up correctly.
