[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[altq:1725] Re: IPsec tunnel and altq

To: admin@sga.umd.edu
Subject: [altq:1725] Re: IPsec tunnel and altq
From: Kenjiro Cho <kjc@csl.sony.co.jp>
Date: Thu, 12 Dec 2002 19:17:36 +0900 (JST)
Cc: altq@csl.sony.co.jp
In-Reply-To: <Pine.LNX.4.44.0212112211210.27907-100000@sga.umd.edu>
References: <Pine.LNX.4.44.0212112211210.27907-100000@sga.umd.edu>
Sender: owner-altq@csl.sony.co.jp


admin@sga.umd.edu wrote:
> I'm new to the mailing list, so I'm unaware of any prior mention of the
> issue I'm having. I'm attempting to run altq on a OpenBSD 3.1 box which
> already is running IPsec (tunnel mode) and ipnat. RFC 2401 states "If
> Inner Hdr is IPv4 (Protocol = 4), copy the TOS". Unfortunately, IPsec is
> not copying the inner header's TOS field, during the encapsulation
> process. Does OpenBSD's implementation of IPsec not follow the RFC?
> Being that I would like to distinguish ipsec traffic based on the TOS 
> field, it poses a problem for me. Anyone that can possibly shed some light
> on this topic, please do.

There is a patch floating around.  You might want to give it a try.

-Kenjiro

---------- Forwarded message ----------
Date: Fri, 22 Nov 2002 14:15:42 -0500
From: david langhorst <dirt@monkey.org>
To: Nate <nate@monkey.org>
Subject: ipsec patch

diff attached (against 3.1-release, should apply to 3.2 though). if you
can spare a moment, please critique. i'm not sure if moving:

        ip = mtod(m, struct ip *);

outside of:

        if (tdb->tdb_dst.sa.sa_family == AF_INET && setdf) { }

has any negative impact.


Index: sys/netinet/in.h
===================================================================
RCS file: /cvs/src/sys/netinet/in.h,v
retrieving revision 1.56
diff -u -r1.56 in.h
--- sys/netinet/in.h	2002/03/14 01:27:11	1.56
+++ sys/netinet/in.h	2002/11/13 23:01:35
@@ -466,7 +466,8 @@
 #define	IPCTL_MTUDISC		27	/* allow path MTU discovery */
 #define	IPCTL_MTUDISCTIMEOUT	28	/* allow path MTU discovery */
 #define	IPCTL_IPSEC_IPCOMP_ALGORITHM	29
-#define	IPCTL_MAXID		30
+#define IPCTL_IPSEC_TOS_PRESERVE 30
+#define	IPCTL_MAXID		31

 #define	IPCTL_NAMES { \
 	{ 0, 0 }, \
@@ -499,6 +500,7 @@
 	{ "mtudisc", CTLTYPE_INT }, \
 	{ "mtudisctimeout", CTLTYPE_INT }, \
 	{ "ipsec-comp-alg", CTLTYPE_STRING }, \
+	{ "ipsec-tos-preserve", CTLTYPE_INT }, \
 }

 /* INET6 stuff */
Index: sys/netinet/ip_input.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_input.c,v
retrieving revision 1.100
diff -u -r1.100 ip_input.c
--- sys/netinet/ip_input.c	2002/03/14 01:27:11	1.100
+++ sys/netinet/ip_input.c	2002/11/13 23:01:35
@@ -98,6 +98,7 @@
 int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE;
 int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE;
 int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE;
+int ipsec_tos_preserve = IPSEC_DEFAULT_TOS_PRESERVE;
 char ipsec_def_enc[20];
 char ipsec_def_auth[20];
 char ipsec_def_comp[20];
@@ -1670,6 +1671,9 @@
 	        return (sysctl_tstring(oldp, oldlenp, newp, newlen,
 				       ipsec_def_comp,
 				       sizeof(ipsec_def_comp)));
+	case IPCTL_IPSEC_TOS_PRESERVE:
+		return (sysctl_int(oldp, oldlenp, newp, newlen,
+				   &ipsec_tos_preserve));
 	default:
 		return (EOPNOTSUPP);
 	}
Index: sys/netinet/ip_ipsp.h
===================================================================
RCS file: /cvs/src/sys/netinet/ip_ipsp.h,v
retrieving revision 1.119
diff -u -r1.119 ip_ipsp.h
--- sys/netinet/ip_ipsp.h	2002/03/14 01:27:11	1.119
+++ sys/netinet/ip_ipsp.h	2002/11/13 23:01:36
@@ -94,6 +94,7 @@
 #define	IPSEC_DEFAULT_DEF_AUTH			"hmac-sha1"
 #define	IPSEC_DEFAULT_EXPIRE_ACQUIRE		30
 #define	IPSEC_DEFAULT_DEF_COMP			"deflate"
+#define IPSEC_DEFAULT_TOS_PRESERVE		0

 struct sockaddr_encap {
 	u_int8_t	sen_len;		/* length */
@@ -462,6 +463,7 @@
 extern int ipsec_exp_timeout;
 extern int ipsec_soft_first_use;
 extern int ipsec_exp_first_use;
+extern int ipsec_tos_preserve;
 extern char ipsec_def_enc[];
 extern char ipsec_def_auth[];
 extern char ipsec_def_comp[];
Index: sys/netinet/ipsec_output.c
===================================================================
RCS file: /cvs/src/sys/netinet/ipsec_output.c,v
retrieving revision 1.21
diff -u -r1.21 ipsec_output.c
--- sys/netinet/ipsec_output.c	2002/02/19 21:11:22	1.21
+++ sys/netinet/ipsec_output.c	2002/11/13 23:01:36
@@ -70,6 +70,7 @@

 #ifdef INET
 	int setdf = 0;
+	u_int8_t settos = 0;
 	struct ip *ip;
 #endif /* INET */
 #ifdef INET6
@@ -181,6 +182,7 @@
 			 * had IP_DF.
 			 */
 			setdf = ntohs(ip->ip_off) & IP_DF;
+			settos = ip->ip_tos;
 #endif /* INET */

 #ifdef INET6
@@ -255,8 +257,8 @@
 			mp = NULL;

 #ifdef INET
+			ip = mtod(m, struct ip *);
 			if (tdb->tdb_dst.sa.sa_family == AF_INET && setdf) {
-				ip = mtod(m, struct ip *);
 				if (m->m_len < sizeof(struct ip))
 					if ((m = m_pullup(m,
 					    sizeof(struct ip))) == NULL)
@@ -266,6 +268,8 @@
 				ip->ip_off |= IP_DF;
 				HTONS(ip->ip_off);
 			}
+			if (ipsec_tos_preserve)
+				ip->ip_tos = settos;

 			/* Remember that we appended a tunnel header. */
 			tdb->tdb_flags |= TDBF_USEDTUNNEL;

Follow-Ups:
- [altq:1726] Re: IPsec tunnel and altq
  - From: admin@sga.umd.edu

References:
- [altq:1724] IPsec tunnel and altq
  - From: admin@sga.umd.edu
- [altq:1724] IPsec tunnel and altq
  - From: admin@sga.umd.edu

Prev by Date: [altq:1724] IPsec tunnel and altq
Next by Date: [altq:1726] Re: IPsec tunnel and altq
Prev by thread: [altq:1724] IPsec tunnel and altq
Next by thread: [altq:1726] Re: IPsec tunnel and altq
Index(es):
- Date
- Thread