* ipsec not working in 2.6.23-rc1-git10 when using pfkey
@ 2007-08-02 18:58 Joy Latten
2007-08-02 22:01 ` David Miller
0 siblings, 1 reply; 3+ messages in thread
From: Joy Latten @ 2007-08-02 18:58 UTC (permalink / raw)
To: netdev; +Cc: davem
Although an ipsec SA was established, kernel couldn't seem to find it.
I think since we are now using "x->sel.family" instead of "family"
in the xfrm_selector_match() called in xfrm_state_find(), af_key
needs to set this field too, just as xfrm_user.
In af_key.c, x->sel.family only gets set when there's an
ext_hdrs[SADB_EXT_ADDRESS_PROXY-1] which I think is for tunnel.
I think pfkey needs to also set the x->sel.family field when it is 0.
Tested with below patch, and ipsec worked when using pfkey.
Let me know if this is correct approach or not.
Regards,
Joy
diff -urpN linux-2.6.22/net/key/af_key.c linux-2.6.22.fp/net/key/af_key.c
--- linux-2.6.22/net/key/af_key.c 2007-08-02 12:32:02.000000000 -0500
+++ linux-2.6.22.fp/net/key/af_key.c 2007-08-02 12:40:57.000000000 -0500
@@ -1205,6 +1205,9 @@ static struct xfrm_state * pfkey_msg2xfr
x->sel.family = pfkey_sadb_addr2xfrm_addr(addr, &x->sel.saddr);
x->sel.prefixlen_s = addr->sadb_address_prefixlen;
}
+
+ if (!x->sel.family)
+ x->sel.family = x->props.family;
if (ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1]) {
struct sadb_x_nat_t_type* n_type;
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: ipsec not working in 2.6.23-rc1-git10 when using pfkey
2007-08-02 18:58 ipsec not working in 2.6.23-rc1-git10 when using pfkey Joy Latten
@ 2007-08-02 22:01 ` David Miller
2007-08-06 6:45 ` Joakim Koskela
0 siblings, 1 reply; 3+ messages in thread
From: David Miller @ 2007-08-02 22:01 UTC (permalink / raw)
To: latten; +Cc: netdev, jookos
From: Joy Latten <latten@austin.ibm.com>
Date: Thu, 2 Aug 2007 13:58:38 -0500
> Although an ipsec SA was established, kernel couldn't seem to find it.
>
> I think since we are now using "x->sel.family" instead of "family"
> in the xfrm_selector_match() called in xfrm_state_find(), af_key
> needs to set this field too, just as xfrm_user.
>
> In af_key.c, x->sel.family only gets set when there's an
> ext_hdrs[SADB_EXT_ADDRESS_PROXY-1] which I think is for tunnel.
>
> I think pfkey needs to also set the x->sel.family field when it is 0.
Thanks for finding this bug Joy.
It basically proves that this inner address change was %100 not tested
in any reasonable way by the patch submitter.
Originally Herbert and I thought I only saw problems because XFRM_USER
cases such as openswan did not set the x->sel.family field, but now
that we see that PF_KEY also has the same exact problem and as a
result I am very annoyed.
Joakim, TEST YOUR PATCHES, and not just with your BEET test cases,
before submitting them in the future. Having normal configurations of
both PF_KEY and XFRM_USER ipsec totally break as a result of your
changes is totally unacceptable and I will doubly scrutinize your
patch submissions in the future because of what has happened here.
Thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ipsec not working in 2.6.23-rc1-git10 when using pfkey
2007-08-02 22:01 ` David Miller
@ 2007-08-06 6:45 ` Joakim Koskela
0 siblings, 0 replies; 3+ messages in thread
From: Joakim Koskela @ 2007-08-06 6:45 UTC (permalink / raw)
To: David Miller; +Cc: latten, netdev
On Friday 03 August 2007 01:01:14 David Miller wrote:
> Joakim, TEST YOUR PATCHES, and not just with your BEET test cases,
> before submitting them in the future. Having normal configurations of
> both PF_KEY and XFRM_USER ipsec totally break as a result of your
> changes is totally unacceptable and I will doubly scrutinize your
> patch submissions in the future because of what has happened here.
Ok, seems fair and sorry for all the extra work this caused. Had a creeping
feeling it would break something (as it so obviously could), but wrote it off
as paranoia as it didn't seem to negatively affect either transport or tunnel
mode (..but then again, I was only using the ip tool to manually set them
up).
br, j
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-08-06 6:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-08-02 18:58 ipsec not working in 2.6.23-rc1-git10 when using pfkey Joy Latten
2007-08-02 22:01 ` David Miller
2007-08-06 6:45 ` Joakim Koskela
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox