Re: ipsec not working in 2.6.23-rc1-git10 when using pfkey
On Friday 03 August 2007 01:01:14 David Miller wrote: Joakim, TEST YOUR PATCHES, and not just with your BEET test cases, before submitting them in the future. Having normal configurations of both PF_KEY and XFRM_USER ipsec totally break as a result of your changes is totally unacceptable and I will doubly scrutinize your patch submissions in the future because of what has happened here. Ok, seems fair and sorry for all the extra work this caused. Had a creeping feeling it would break something (as it so obviously could), but wrote it off as paranoia as it didn't seem to negatively affect either transport or tunnel mode (..but then again, I was only using the ip tool to manually set them up). br, j - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
ipsec not working in 2.6.23-rc1-git10 when using pfkey
Although an ipsec SA was established, kernel couldn't seem to find it. I think since we are now using x-sel.family instead of family in the xfrm_selector_match() called in xfrm_state_find(), af_key needs to set this field too, just as xfrm_user. In af_key.c, x-sel.family only gets set when there's an ext_hdrs[SADB_EXT_ADDRESS_PROXY-1] which I think is for tunnel. I think pfkey needs to also set the x-sel.family field when it is 0. Tested with below patch, and ipsec worked when using pfkey. Let me know if this is correct approach or not. Regards, Joy diff -urpN linux-2.6.22/net/key/af_key.c linux-2.6.22.fp/net/key/af_key.c --- linux-2.6.22/net/key/af_key.c 2007-08-02 12:32:02.0 -0500 +++ linux-2.6.22.fp/net/key/af_key.c2007-08-02 12:40:57.0 -0500 @@ -1205,6 +1205,9 @@ static struct xfrm_state * pfkey_msg2xfr x-sel.family = pfkey_sadb_addr2xfrm_addr(addr, x-sel.saddr); x-sel.prefixlen_s = addr-sadb_address_prefixlen; } + + if (!x-sel.family) + x-sel.family = x-props.family; if (ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1]) { struct sadb_x_nat_t_type* n_type; - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: ipsec not working in 2.6.23-rc1-git10 when using pfkey
From: Joy Latten [EMAIL PROTECTED] Date: Thu, 2 Aug 2007 13:58:38 -0500 Although an ipsec SA was established, kernel couldn't seem to find it. I think since we are now using x-sel.family instead of family in the xfrm_selector_match() called in xfrm_state_find(), af_key needs to set this field too, just as xfrm_user. In af_key.c, x-sel.family only gets set when there's an ext_hdrs[SADB_EXT_ADDRESS_PROXY-1] which I think is for tunnel. I think pfkey needs to also set the x-sel.family field when it is 0. Thanks for finding this bug Joy. It basically proves that this inner address change was %100 not tested in any reasonable way by the patch submitter. Originally Herbert and I thought I only saw problems because XFRM_USER cases such as openswan did not set the x-sel.family field, but now that we see that PF_KEY also has the same exact problem and as a result I am very annoyed. Joakim, TEST YOUR PATCHES, and not just with your BEET test cases, before submitting them in the future. Having normal configurations of both PF_KEY and XFRM_USER ipsec totally break as a result of your changes is totally unacceptable and I will doubly scrutinize your patch submissions in the future because of what has happened here. Thanks. - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html