From nobody@FreeBSD.org  Sat Jun 22 04:21:40 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
	by hub.freebsd.org (Postfix) with ESMTP id 7115FBB5
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 22 Jun 2013 04:21:40 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from oldred.freebsd.org (oldred.freebsd.org [8.8.178.121])
	by mx1.freebsd.org (Postfix) with ESMTP id 4A8EC1B27
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 22 Jun 2013 04:21:40 +0000 (UTC)
Received: from oldred.freebsd.org ([127.0.1.6])
	by oldred.freebsd.org (8.14.5/8.14.7) with ESMTP id r5M4Ldlf096966
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 22 Jun 2013 04:21:39 GMT
	(envelope-from nobody@oldred.freebsd.org)
Received: (from nobody@localhost)
	by oldred.freebsd.org (8.14.5/8.14.5/Submit) id r5M4LdAX096957;
	Sat, 22 Jun 2013 04:21:39 GMT
	(envelope-from nobody)
Message-Id: <201306220421.r5M4LdAX096957@oldred.freebsd.org>
Date: Sat, 22 Jun 2013 04:21:39 GMT
From: John Wehle <john@feith.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: net/route.c 248895 breaks some VPNs
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         179829
>Category:       kern
>Synopsis:       net/route.c MFC 248895 breaks some VPNs [regression]
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    melifaro
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 22 04:30:00 UTC 2013
>Closed-Date:    
>Last-Modified:  Sun Jun 23 06:21:49 UTC 2013
>Originator:     John Wehle
>Release:        FreeBSD 9.1-STABLE 252047M
>Organization:
>Environment:
FreeBSD carmen.FEITH.COM 9.1-STABLE FreeBSD 9.1-STABLE #1 r235103:252047M: Fri Jun 21 23:31:53 EDT 2013     root@wagner.FEITH.COM:/usr/obj/amd64.amd64/usr/src/sys/CUSTOM  amd64
>Description:
Have been using mpd to maintain a VPN for years.  The link up
script does:

  /sbin/route add -host "${REMOTE}" "${DEFAULT}"
  /sbin/route add -net "${REMOTE}/24" -interface "${IFACE}"

where REMOTE = 192.251.93.62, DEFAULT = 71.224.208.1, IFACE = ng0.
This normally produces a routing table such as:

  Destination        Gateway            Flags    Refs      Use  Netif Expire
  default            71.224.208.1       UGS         0       45   ale0
  71.224.208.0/21    link#2             U           0        0   ale0
  71.224.209.156     link#2             UHS         0        0    lo0
  192.251.93.62      71.224.208.1       UGHS        0      118   ale0
  192.251.93.165     link#13            UHS         0        0    lo0
  192.251.93.0/24    ng0                US          0       82    ng0
  
The latest change to net/route.c produces a routing table such as:

  Destination        Gateway            Flags    Refs      Use  Netif Expire
  default            71.224.208.1       UGS         0      557   ale0
  71.224.208.0/21    link#2             U           0        0   ale0
  71.224.209.156     link#2             UHS         0        0    lo0
  192.251.93.62      link#13            UH          0       10    ng0
  192.251.93.165     link#13            UHS         0        0    lo0
  192.251.93.0/24    ng0                US          0        0    ng0

Specifically note that the remote VPN endpoint (192.251.93.62) is no
longer accessed through the correct interface.  Instead a loop is
created ... packets to 192.251.93.62 are routed through ng0 which
generates encapsulated packets going to 192.251.93.62 which are
routed through ng0 ....

An explict route table entry for a host should have a higher priorty than
a route table entry for a net.

>How-To-Repeat:
Configure a VPN where the remote endpoint is on the same network as the
the remote network being accessed over the VPN.  Use route to add an
explict route for the remote VPN endpoint and a separate route for the
remote VPN network.  Notice that the VPN endpoint gets routed over the
VPN interface thus creating a loop.
>Fix:
Replacing net/route.c 248895 with net/route.c 235103 fixes the problem.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->melifaro 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Jun 23 06:21:19 UTC 2013 
Responsible-Changed-Why:  
over to committer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=179829 
>Unformatted:
