etherip(4) vs IPsec

[Jeremie Courreges-Anglas]

Stuart Henderson <s...@spacehopper.org> writes:

> On 2017/02/13 09:54, Jason Tubnor wrote:
>> Hi,
>> 
>> Upon implementation of etherip(4) over an iked(8) connection, I had issues
>> with passing etherip traffic over the connection.
>> 
>> The -current man page states:
>> 
>> "The sysctl(3) variable net.inet.etherip.allow must be set to 1, unless
>> ipsec(4) is being used to protect the traffic."
>> 
>> However, unless net.inet.etherip.allow was set to 1, traffic would not pass
>> over the etherip interface even if using ipsec(4).
>> 
>> Digging through the mail archive (
>> http://marc.info/?l=openbsd-misc&w=2&r=1&s=etherip&q=b ), others have had
>> this issue:
>> 
>> http://marc.info/?l=openbsd-misc&m=148613113216663&w=2
>> http://marc.info/?l=openbsd-misc&m=147912428400635&w=2
>> 
>> Which then led me to have a casual look over the code:
>> 
>> /usr/src/sys/net/if_etherip.c
>> 
>> which also leads to:
>> 
>> /usr/src/sys/netinet/ip_ether.c
>> 
>> It appeared to me that if net.inet.etherip.allow=1 was not set, then drop
>> the packets.  I couldn't see any reference to ipsec(4) traffic in being
>> allowed to pass.
>> 
>> Below is a patch to the etherip(4) man page to clarify that
>> net.inet.etherip.allow must be set to 1 and remove the reference to
>> ipsec(4) if traffic needs to pass on the etherip interface.
>
> It seems to me that the bug is in the code rather than the manual.
> There's not much point in having a sysctl to set whether or not etherip can
> be used. But there's very much point in preventing it from being used if your
> configured IPsec protection doesn't come up correctly.

Indeed.  The diff below fixes this for me (tested with ipsec.conf &
IPv4).

ok?


Index: if_etherip.c
===================================================================
RCS file: /d/cvs/src/sys/net/if_etherip.c,v
retrieving revision 1.15
diff -u -p -p -u -r1.15 if_etherip.c
--- if_etherip.c        7 Mar 2017 23:35:06 -0000       1.15
+++ if_etherip.c        21 Mar 2017 07:08:58 -0000
@@ -423,7 +423,7 @@ ip_etherip_input(struct mbuf **mp, int *
                return IPPROTO_DONE;
        }
 
-       if (!etherip_allow) {
+       if (!etherip_allow && (m->m_flags & (M_AUTH|M_CONF)) == 0) {
                m_freem(m);
                etheripstat.etherips_pdrops++;
                return IPPROTO_DONE;
@@ -579,7 +579,7 @@ ip6_etherip_input(struct mbuf **mp, int 
        struct ifnet *ifp = NULL;
 
 
-       if (!etherip_allow) {
+       if (!etherip_allow && (m->m_flags & (M_AUTH|M_CONF)) == 0) {
                m_freem(m);
                etheripstat.etherips_pdrops++;
                return IPPROTO_NONE;


-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE