[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[altq:1726] Re: IPsec tunnel and altq

To: Kenjiro Cho <kjc@csl.sony.co.jp>
Subject: [altq:1726] Re: IPsec tunnel and altq
From: admin@sga.umd.edu
Date: Fri, 13 Dec 2002 12:34:32 -0500 (EST)
cc: altq@csl.sony.co.jp
In-Reply-To: <20021212.191736.74680456.kjc@csl.sony.co.jp>
Sender: owner-altq@csl.sony.co.jp

For any of you who might want to know who things turned out. The patch 
worked like a charm on OpenBSD 3.1. A million thanks Kenjiro.

Andy 


On Thu, 12 Dec 2002, Kenjiro Cho wrote:

> 
> admin@sga.umd.edu wrote:
> > I'm new to the mailing list, so I'm unaware of any prior mention of the
> > issue I'm having. I'm attempting to run altq on a OpenBSD 3.1 box which
> > already is running IPsec (tunnel mode) and ipnat. RFC 2401 states "If
> > Inner Hdr is IPv4 (Protocol = 4), copy the TOS". Unfortunately, IPsec is
> > not copying the inner header's TOS field, during the encapsulation
> > process. Does OpenBSD's implementation of IPsec not follow the RFC?
> > Being that I would like to distinguish ipsec traffic based on the TOS 
> > field, it poses a problem for me. Anyone that can possibly shed some light
> > on this topic, please do.
> 
> There is a patch floating around.  You might want to give it a try.
> 
> -Kenjiro
> 
> ---------- Forwarded message ----------
> Date: Fri, 22 Nov 2002 14:15:42 -0500
> From: david langhorst <dirt@monkey.org>
> To: Nate <nate@monkey.org>
> Subject: ipsec patch
> 
> diff attached (against 3.1-release, should apply to 3.2 though). if you
> can spare a moment, please critique. i'm not sure if moving:
> 
>         ip = mtod(m, struct ip *);
> 
> outside of:
> 
>         if (tdb->tdb_dst.sa.sa_family == AF_INET && setdf) { }
> 
> has any negative impact.
> 
> 
> Index: sys/netinet/in.h
> ===================================================================
> RCS file: /cvs/src/sys/netinet/in.h,v
> retrieving revision 1.56
> diff -u -r1.56 in.h
> --- sys/netinet/in.h	2002/03/14 01:27:11	1.56
> +++ sys/netinet/in.h	2002/11/13 23:01:35
> @@ -466,7 +466,8 @@
>  #define	IPCTL_MTUDISC		27	/* allow path MTU discovery */
>  #define	IPCTL_MTUDISCTIMEOUT	28	/* allow path MTU discovery */
>  #define	IPCTL_IPSEC_IPCOMP_ALGORITHM	29
> -#define	IPCTL_MAXID		30
> +#define IPCTL_IPSEC_TOS_PRESERVE 30
> +#define	IPCTL_MAXID		31
> 
>  #define	IPCTL_NAMES { \
>  	{ 0, 0 }, \
> @@ -499,6 +500,7 @@
>  	{ "mtudisc", CTLTYPE_INT }, \
>  	{ "mtudisctimeout", CTLTYPE_INT }, \
>  	{ "ipsec-comp-alg", CTLTYPE_STRING }, \
> +	{ "ipsec-tos-preserve", CTLTYPE_INT }, \
>  }
> 
>  /* INET6 stuff */
> Index: sys/netinet/ip_input.c
> ===================================================================
> RCS file: /cvs/src/sys/netinet/ip_input.c,v
> retrieving revision 1.100
> diff -u -r1.100 ip_input.c
> --- sys/netinet/ip_input.c	2002/03/14 01:27:11	1.100
> +++ sys/netinet/ip_input.c	2002/11/13 23:01:35
> @@ -98,6 +98,7 @@
>  int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE;
>  int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE;
>  int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE;
> +int ipsec_tos_preserve = IPSEC_DEFAULT_TOS_PRESERVE;
>  char ipsec_def_enc[20];
>  char ipsec_def_auth[20];
>  char ipsec_def_comp[20];
> @@ -1670,6 +1671,9 @@
>  	        return (sysctl_tstring(oldp, oldlenp, newp, newlen,
>  				       ipsec_def_comp,
>  				       sizeof(ipsec_def_comp)));
> +	case IPCTL_IPSEC_TOS_PRESERVE:
> +		return (sysctl_int(oldp, oldlenp, newp, newlen,
> +				   &ipsec_tos_preserve));
>  	default:
>  		return (EOPNOTSUPP);
>  	}
> Index: sys/netinet/ip_ipsp.h
> ===================================================================
> RCS file: /cvs/src/sys/netinet/ip_ipsp.h,v
> retrieving revision 1.119
> diff -u -r1.119 ip_ipsp.h
> --- sys/netinet/ip_ipsp.h	2002/03/14 01:27:11	1.119
> +++ sys/netinet/ip_ipsp.h	2002/11/13 23:01:36
> @@ -94,6 +94,7 @@
>  #define	IPSEC_DEFAULT_DEF_AUTH			"hmac-sha1"
>  #define	IPSEC_DEFAULT_EXPIRE_ACQUIRE		30
>  #define	IPSEC_DEFAULT_DEF_COMP			"deflate"
> +#define IPSEC_DEFAULT_TOS_PRESERVE		0
> 
>  struct sockaddr_encap {
>  	u_int8_t	sen_len;		/* length */
> @@ -462,6 +463,7 @@
>  extern int ipsec_exp_timeout;
>  extern int ipsec_soft_first_use;
>  extern int ipsec_exp_first_use;
> +extern int ipsec_tos_preserve;
>  extern char ipsec_def_enc[];
>  extern char ipsec_def_auth[];
>  extern char ipsec_def_comp[];
> Index: sys/netinet/ipsec_output.c
> ===================================================================
> RCS file: /cvs/src/sys/netinet/ipsec_output.c,v
> retrieving revision 1.21
> diff -u -r1.21 ipsec_output.c
> --- sys/netinet/ipsec_output.c	2002/02/19 21:11:22	1.21
> +++ sys/netinet/ipsec_output.c	2002/11/13 23:01:36
> @@ -70,6 +70,7 @@
> 
>  #ifdef INET
>  	int setdf = 0;
> +	u_int8_t settos = 0;
>  	struct ip *ip;
>  #endif /* INET */
>  #ifdef INET6
> @@ -181,6 +182,7 @@
>  			 * had IP_DF.
>  			 */
>  			setdf = ntohs(ip->ip_off) & IP_DF;
> +			settos = ip->ip_tos;
>  #endif /* INET */
> 
>  #ifdef INET6
> @@ -255,8 +257,8 @@
>  			mp = NULL;
> 
>  #ifdef INET
> +			ip = mtod(m, struct ip *);
>  			if (tdb->tdb_dst.sa.sa_family == AF_INET && setdf) {
> -				ip = mtod(m, struct ip *);
>  				if (m->m_len < sizeof(struct ip))
>  					if ((m = m_pullup(m,
>  					    sizeof(struct ip))) == NULL)
> @@ -266,6 +268,8 @@
>  				ip->ip_off |= IP_DF;
>  				HTONS(ip->ip_off);
>  			}
> +			if (ipsec_tos_preserve)
> +				ip->ip_tos = settos;
> 
>  			/* Remember that we appended a tunnel header. */
>  			tdb->tdb_flags |= TDBF_USEDTUNNEL;
>

Follow-Ups:
- [altq:1729] Re: IPsec tunnel and altq
  - From: admin@sga.umd.edu

References:
- [altq:1725] Re: IPsec tunnel and altq
  - From: Kenjiro Cho <kjc@csl.sony.co.jp>

Prev by Date: [altq:1725] Re: IPsec tunnel and altq
Next by Date: [altq:1727] using altq to improve online gaming
Prev by thread: [altq:1725] Re: IPsec tunnel and altq
Next by thread: [altq:1729] Re: IPsec tunnel and altq
Index(es):
- Date
- Thread