Subject: kern/34482: PF fails to forward packets correctly to gre/gif interfaces
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <mearnha2@uiuc.edu>
List: netbsd-bugs
Date: 09/06/2006 07:10:00
>Number: 34482
>Category: kern
>Synopsis: PF fails to forward packets correctly to gre/gif interfaces
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Sep 06 07:10:00 +0000 2006
>Originator: Michael Earnhart
>Release: NetBSD 2.99.10
>Organization:
>Environment:
System: NetBSD cuw.ojctech.com 2.99.10 NetBSD 2.99.10 (GENERIC.cuw) #0: Sun Nov 14 15:35:49 CST 2004 dyoung@cuw.ojctech.com:/u3/dyoung/pristine-nbsd/O/sys/arch/i386/compile/GENERIC.cuw i386
Architecture: i386
Machine: i386
>Description:
PF does not forward packets correctly from a real interface to a tunnel interface when using the route-to command specifically. I do not know if the problem exends to other areas of PF but am certain that when using route-to and a gif/gre interface it fails to duplicate the incoming packet.
Example data:
NO-PF - simply setting the default gateway to the other end of the gre tunnel
GRE
10:48:24.508065 IP (tos 0x0, ttl 255, id 9674, offset 0, flags [none], length: 84) 172.0.11.200 > WEB.MIT.EDU: icmp 64: echo request seq 0
PCN1
10:48:24.508107 IP (tos 0x0, ttl 30, id 9675, offset 0, flags [none], length: 108) 11.0.0.200 > fw1: [] IP (tos 0x0, ttl 255, id 9674, offset 0, flags [none], length: 84) 172.0.11.200 > WEB.MIT.EDU: icmp 64: echo request seq 0
WITH-PF - setting the "default gateway" using PF with a rule similar to:
pass out on pcn0 route-to (gif0 gif0ip) from any to ! 192.168.1.0/24 keep state
GRE
10:50:03.450240 IP (tos 0x0, ttl 255, id 9730, offset 0, flags [none], length: 84) 11.0.0.200 > WEB.MIT.EDU: icmp 64: echo request seq 0 (wrong icmp cksum d111 (->d91a)!)
PCN1
10:50:03.450288 IP (tos 0x0, ttl 30, id 9731, offset 0, flags [none], length: 108) 11.0.0.200 > fw1: [] IP (tos 0x0, ttl 255, id 9730, offset 0, flags [none], length: 84) 11.0.0.200 > WEB.MIT.EDU: icmp 64: echo request seq 0
These are examples of what tcpdump sees on these interfaces with a simple ping mit.edu as a test subject. Note the "wrong icmp cksum" error in the gre interface in the WITH-PF section. This is the problem. Also note that using OpenBSD 3.8 did not produce this error given seemingly identical situations. I only mention this to indicate that PF clearly can accomplish this task.
>How-To-Repeat:
First create a gre/gif tunnel between two hosts(gre0 on both ends for example). This will function well and can be used as a gateway by altering the default route. Next alter the default route for the client host to ip address of an interface (such as pcn0 has ip 192.168.1.1 for this example and the default route would be to 192.168.1.1). Next implement a pf rule such as:
pass out on pcn0 route-to (gre0 gre0ip) from any to ! 192.168.1.0/24 keep state
this SHOULD route anything NOT on the LAN to the gateway through the gre0 tunnel. Note the gif0ip is a variable representing the ipaddress of the tunnel end point but I do not think it is needed but is there nonetheless for completeness.
>Fix:
unknown
>Unformatted: