[PATCH 1/1]: SAs created although tmpl-optional set

2007-11-19 Thread Joy Latten 
Although tmpl-optional is set, kernel still attempts
to create a set of SAs. 

In xfrm_tmpl_resolve_one(), xfrm_state_find() is called
to find an SA. First time, there won't be an SA, so an
ACQUIRE will be sent and code then returns to 
xfrm_tmpl_resolv_one() who then checks tmpl-optional. 
Since tmpl-optional is set, the xfrm code will then 
allow flow to pass not transformed.

I may have misinterpreted semantics of tmpl-optional,
(I thought it meant use an SA only if there is one, otherwise
do not transform) but do we want to create an SA as well as
send flow without xfrm'ing?

regards,
Joy

Signed-off-by: Joy Latten [EMAIL PROTECTED]


diff -urpN linux-2.6.orig/net/xfrm/xfrm_state.c 
linux-2.6.spd/net/xfrm/xfrm_state.c
--- linux-2.6.orig/net/xfrm/xfrm_state.c2007-11-18 16:53:16.0 
-0600
+++ linux-2.6.spd/net/xfrm/xfrm_state.c 2007-11-18 23:38:08.0 -0600
@@ -814,6 +814,12 @@ xfrm_state_find(xfrm_address_t *daddr, x
error = -EEXIST;
goto out;
}
+
+   if (tmpl-optional) {
+   error = 0;
+   goto out;
+   }
+
x = xfrm_state_alloc();
if (x == NULL) {
error = -ENOMEM;
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/1]: SAs created although tmpl-optional set

2007-11-19 Thread Herbert Xu 
On Mon, Nov 19, 2007 at 02:53:50AM -0600, Joy Latten wrote:
 Although tmpl-optional is set, kernel still attempts
 to create a set of SAs. 

Heh I made the same mistake when I first read this piece of
code too :) The optional flag isn't saying that it doesn't need
to be protected, but rather that the SA may not be present on
input.  It's only used for IPComp where we may skip the IPComp
if the data is not compressible.

In other words the optional flag is really only meaningful on
inbuond policy checks.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmVHI~} [EMAIL PROTECTED]
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/1]: SAs created although tmpl-optional set

2007-11-19 Thread Joy Latten 
Heh I made the same mistake when I first read this piece of
code too :) The optional flag isn't saying that it doesn't need
to be protected, but rather that the SA may not be present on
input.  It's only used for IPComp where we may skip the IPComp
if the data is not compressible.

In other words the optional flag is really only meaningful on
inbuond policy checks.

Thanks for clearing that up for me. :-) 
I think it is not documented clearly in ipsec-tools.

Joy
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html