[PATCH 1/1]: SAs created although tmpl-optional set
Although tmpl-optional is set, kernel still attempts to create a set of SAs. In xfrm_tmpl_resolve_one(), xfrm_state_find() is called to find an SA. First time, there won't be an SA, so an ACQUIRE will be sent and code then returns to xfrm_tmpl_resolv_one() who then checks tmpl-optional. Since tmpl-optional is set, the xfrm code will then allow flow to pass not transformed. I may have misinterpreted semantics of tmpl-optional, (I thought it meant use an SA only if there is one, otherwise do not transform) but do we want to create an SA as well as send flow without xfrm'ing? regards, Joy Signed-off-by: Joy Latten [EMAIL PROTECTED] diff -urpN linux-2.6.orig/net/xfrm/xfrm_state.c linux-2.6.spd/net/xfrm/xfrm_state.c --- linux-2.6.orig/net/xfrm/xfrm_state.c2007-11-18 16:53:16.0 -0600 +++ linux-2.6.spd/net/xfrm/xfrm_state.c 2007-11-18 23:38:08.0 -0600 @@ -814,6 +814,12 @@ xfrm_state_find(xfrm_address_t *daddr, x error = -EEXIST; goto out; } + + if (tmpl-optional) { + error = 0; + goto out; + } + x = xfrm_state_alloc(); if (x == NULL) { error = -ENOMEM; - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/1]: SAs created although tmpl-optional set
On Mon, Nov 19, 2007 at 02:53:50AM -0600, Joy Latten wrote: Although tmpl-optional is set, kernel still attempts to create a set of SAs. Heh I made the same mistake when I first read this piece of code too :) The optional flag isn't saying that it doesn't need to be protected, but rather that the SA may not be present on input. It's only used for IPComp where we may skip the IPComp if the data is not compressible. In other words the optional flag is really only meaningful on inbuond policy checks. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmVHI~} [EMAIL PROTECTED] Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/1]: SAs created although tmpl-optional set
Heh I made the same mistake when I first read this piece of code too :) The optional flag isn't saying that it doesn't need to be protected, but rather that the SA may not be present on input. It's only used for IPComp where we may skip the IPComp if the data is not compressible. In other words the optional flag is really only meaningful on inbuond policy checks. Thanks for clearing that up for me. :-) I think it is not documented clearly in ipsec-tools. Joy - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html