I looked at our tunnel code recently and a few things look not right to me:

 - gre does rtalloc a (slightly modified) route to the outer destination
   address, but never rtfrees it (not even before doing another rtalloc).
   I'm not sure the allocated route is right (i.e. is a /32 route) and
   the way it is done looks highly suspicious. IF we would have some
   rtallocignore() call which could specify an interface pointer to ignore
   when allocating the route this would certainly help.

   If the route allocation fails, gre goes into an infinite recursion
   (thus overflowing the kernel stack and crashing the system)

 - gre does not track routing events, so if the pre-allocated route becomes
   invalid it would not notice (this could be called pilot error)

 - gif does not pre-allocate a route (!) and arbitrarily limits recursion
   with a single static counter. This seems to work effectively given the
   non-reentrancy of this kernel path, and is XXX'd.

The routing code boggles my mind (and I have displaced my "TCP/IP Illustrated"),
so I feel pretty clueless how this all should be done properly. It should be
fixed & unified.

Suggestions what to do here?

Martin