From: "Pavel Šimerda" <pavlix@pavlix.net>
To: netdev@vger.kernel.org
Cc: stephen@networkplumber.org, psimerda@redhat.com
Subject: [PATCH 3/7] ip-xfrm: support 'proto any' with 'sport' and 'dport'
Date: Mon, 13 Apr 2015 16:00:57 +0200 [thread overview]
Message-ID: <1428933661-8193-3-git-send-email-pavlix@pavlix.net> (raw)
In-Reply-To: <1428933661-8193-2-git-send-email-pavlix@pavlix.net>
From: Pavel Šimerda <psimerda@redhat.com>
When creating an IPsec SA that sets 'proto any' (IPPROTO_IP) and
specifies 'sport' and 'dport' at the same time in selector, the
following error is issued:
"sport" and "dport" are invalid with proto=ip
However using IPPROTO_IP with ports is completely legal and necessary
when one wants to share the SA on both TCP and UDP. One of the
applications requiring sharing SAs is 3GPP IMS AKA authentication.
See also:
* https://bugzilla.redhat.com/show_bug.cgi?id=497355
Reported-by: Jiří Klimeš <jklimes@redhat.com>
Signed-off-by: Pavel Šimerda <psimerda@redhat.com>
---
ip/ipxfrm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c
index 95f91a5..e685571 100644
--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@@ -1339,6 +1339,7 @@ static int xfrm_selector_upspec_parse(struct xfrm_selector *sel,
case IPPROTO_UDP:
case IPPROTO_SCTP:
case IPPROTO_DCCP:
+ case IPPROTO_IP: /* to allow shared SA for different protocols */
break;
default:
fprintf(stderr, "\"sport\" and \"dport\" are invalid with PROTO value \"%s\"\n", strxf_proto(sel->proto));
--
2.3.5
next prev parent reply other threads:[~2015-04-13 14:10 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-13 14:00 [PATCH 2/7] turn Makefile more distribution friendly Pavel Šimerda
2015-04-13 14:00 ` Pavel Šimerda [this message]
2015-04-13 14:00 ` [PATCH 4/7] cbq: fix find syntax in example Pavel Šimerda
2015-04-13 14:00 ` [PATCH 5/7] ip-route: don't hide routes with RTM_F_CLONED by default Pavel Šimerda
2015-05-04 15:37 ` Stephen Hemminger
2015-05-04 18:37 ` David Miller
2015-05-11 17:48 ` Pavel Šimerda
2015-04-13 14:01 ` [PATCH 6/7] lnstat: dump to stdout, not stderr Pavel Šimerda
2015-04-13 14:01 ` [PATCH 7/7] lnstat: run indefinitely by default Pavel Šimerda
2015-04-20 16:55 ` [PATCH 2/7] turn Makefile more distribution friendly Stephen Hemminger
2015-04-21 15:32 ` Pavel Šimerda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1428933661-8193-3-git-send-email-pavlix@pavlix.net \
--to=pavlix@pavlix.net \
--cc=netdev@vger.kernel.org \
--cc=psimerda@redhat.com \
--cc=stephen@networkplumber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).