[Bug 266598] if_ovpn(4) DCO module not supporting correctly IPv6 Traffic Class for tunneled packets

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 266598] if_ovpn(4) DCO module not supporting correctly IPv6 tunneling"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 26 Sep 2022 09:55:43 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266598

--- Comment #11 from Kristof Provost <kp@freebsd.org> ---
(In reply to Kristof Provost from comment #10)
I suspect I found it:

diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c
index 286125fb42d5..0577fcee8618 100644
--- a/sys/net/if_ovpn.c
+++ b/sys/net/if_ovpn.c
@@ -1572,7 +1581,7 @@ ovpn_get_af(struct mbuf *m)
                return (AF_INET);

        ip6 = mtod(m, struct ip6_hdr *);
-       if (ip6->ip6_vfc == IPV6_VERSION)
+       if ((ip6->ip6_vfc & IPV6_VERSION_MASK) == IPV6_VERSION)
                return (AF_INET6);

        return (0);

The check for 'what IP version is this packet?' didn't account for the ToS
field sharing bits with the IP version field. We didn't see the outgoing packet
in tcpdump, because the BPF capture point (for outbound traffic) is conditional
on the address family (in part to avoid capturing control packets, in part
because the capture point needs to know).
On the receive side the packet gets decrypted, but not passed to the IP stack,
because we don't know where to send it (i.e. v4 or v6).

Small fix for a bigger issue.

I'll also extend the FreeBSD if_ovpn tests to include packets with the ToS bits
set.

-- 
You are receiving this mail because:
You are the assignee for the bug.