From prvs=julian=402a94683@elischer.org  Mon Sep 11 21:29:31 2006
Return-Path: <prvs=julian=402a94683@elischer.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A64CE16A4C8;
	Mon, 11 Sep 2006 21:29:31 +0000 (UTC)
	(envelope-from prvs=julian=402a94683@elischer.org)
Received: from a50.ironport.com (a50.ironport.com [63.251.108.112])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EC27343E99;
	Mon, 11 Sep 2006 21:27:47 +0000 (GMT)
	(envelope-from prvs=julian=402a94683@elischer.org)
Received: from unknown (HELO [10.251.18.229]) ([10.251.18.229])
  by a50.ironport.com with ESMTP; 11 Sep 2006 14:27:26 -0700
Message-Id: <4505D4BE.10801@elischer.org>
Date: Mon, 11 Sep 2006 14:27:26 -0700
From: Julian Elischer <julian@elischer.org>
To: Eugene Grosbein <eugen@grosbein.pp.ru>
Cc: FreeBSD-gnats-submit@freebsd.org,  net@freebsd.org
In-Reply-To: <200609111341.k8BDfneZ020221@nkz.delikates-nk.ru>
Subject: Re: ipsec with ipfw divert (not NAT) encodes a packet twice breaking
 PMTUD
References: <200609111341.k8BDfneZ020221@nkz.delikates-nk.ru>

>Number:         103163
>Category:       kern
>Synopsis:       Re: kern/103135: ipsec with ipfw divert (not NAT) encodes a packet twice breaking
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Sep 11 21:30:25 GMT 2006
>Closed-Date:    Mon Sep 11 21:46:12 GMT 2006
>Last-Modified:  Mon Sep 11 21:46:12 GMT 2006
>Originator:     
>Release:        
>Organization:
>Environment:
>Description:
 Eugene Grosbein wrote:
 
 >	When outgoing packet encoded due to corresponding IPSEC policy
 >	is passed to divert socket (f.e. to ipacctd for accounting),
 >	it is encoded second time with IPSEC then. Besides obvious
 >	logic error, this also results in broken Path MTU Discovery.
 
 unfortunatly this comes from the fact that divert returns packets to the
 kernel by passing them to the IP stack and letting them be processed 
 again. 
 There is a flag that is set to allow the ipfw to know that they
 have been seen before, and it is possible that one could make IPSEC notice
 that flag as well but it would be pretty hacky.  One other solution 
 would be
 to make some way in which ipdivert can really inject a packet back at the
 point where it was extracted but that would probably require spliting 
 ip_output()
 into two functions, (as was done in ether_output() ) but that would 
 probably
 not 'fly' very well.
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: linimon 
State-Changed-When: Mon Sep 11 21:44:50 UTC 2006 
State-Changed-Why:  
Misfiled followup to ports/103135; content migrated. 


Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon Sep 11 21:44:50 UTC 2006 
Responsible-Changed-Why:  

http://www.freebsd.org/cgi/query-pr.cgi?pr=103163 
>Unformatted:
