* 'ip' command should allow creation of an IPsec SA with 'proto any' and specified sport and dport as selectors [not found] ` <200904241310.10823@centrum.cz> @ 2009-04-24 11:11 ` Jiri Klimes 2009-04-24 11:49 ` David Miller 0 siblings, 1 reply; 3+ messages in thread From: Jiri Klimes @ 2009-04-24 11:11 UTC (permalink / raw) To: netdev Hello, please find a patch in the attachment. I propose the patch to allow creation of an IPsec SA shareble by more protocols (TCP, UDP, ...) Description: When creating an IPsec SA that sets 'proto any' (IPPROTO_IP) and specifies 'sport' and 'dport' at the same time in selector, the following error is issued: "sport" and "dport" are invalid with proto=ip However using IPPROTO_IP with ports is completely legal and necessary when one wants to share the SA on both TCP and UDP. One of the applications requiring sharing SAs is 3GPP IMS AKA authentication. testcase: ip x s add src 10.0.0.10 dst 10.0.0.20 proto esp spi 0x3113 enc cipher_null "" auth md5 0xbde359723576fdea08e56cbe876e24ad mode transport sel proto any sport 1234 dport 4321 Note: XFRM allows this programatically. Could you please review the patch and apply it. Cheers, Jiri Klimes PS: a bug report on this is filed in redhat's bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=497355 ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: 'ip' command should allow creation of an IPsec SA with 'proto any' and specified sport and dport as selectors 2009-04-24 11:11 ` 'ip' command should allow creation of an IPsec SA with 'proto any' and specified sport and dport as selectors Jiri Klimes @ 2009-04-24 11:49 ` David Miller 2009-04-24 13:15 ` Jiri Klimes 0 siblings, 1 reply; 3+ messages in thread From: David Miller @ 2009-04-24 11:49 UTC (permalink / raw) To: klimes; +Cc: netdev From: "Jiri Klimes" <klimes@centrum.cz> Date: Fri, 24 Apr 2009 13:11:34 +0200 > please find a patch in the attachment. There is no attachment. ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: 'ip' command should allow creation of an IPsec SA with 'proto any' and specified sport and dport as selectors 2009-04-24 11:49 ` David Miller @ 2009-04-24 13:15 ` Jiri Klimes 0 siblings, 0 replies; 3+ messages in thread From: Jiri Klimes @ 2009-04-24 13:15 UTC (permalink / raw) To: netdev [-- Attachment #1: Type: text/plain, Size: 495 bytes --] ______________________________________________________________ > Od: davem@davemloft.net > Komu: klimes@centrum.cz > CC: netdev@vger.kernel.org > Datum: 24.04.2009 13:49 > Předmět: Re: 'ip' command should allow creation of an IPsec SA with 'proto any' and specified sport and dport as selectors > >From: "Jiri Klimes" <klimes@centrum.cz> >Date: Fri, 24 Apr 2009 13:11:34 +0200 > >> please find a patch in the attachment. > >There is no attachment. > oops, sorry. Forgot the most important. [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: ip_sa.patch --] [-- Type: text/x-patch; name="ip_sa.patch", Size: 487 bytes --] --- a/ip/ipxfrm.c +++ b/ip/ipxfrm.c @@ -1156,6 +1156,7 @@ static int xfrm_selector_upspec_parse(struct xfrm_selector *sel, case IPPROTO_UDP: case IPPROTO_SCTP: case IPPROTO_DCCP: + case IPPROTO_IP: /* to allow shared SA for different protocols */ break; default: fprintf(stderr, "\"sport\" and \"dport\" are invalid with proto=%s\n", strxf_proto(sel->proto)); ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-04-24 13:35 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <200904241303.8959@centrum.cz>
[not found] ` <200904241304.13486@centrum.cz>
[not found] ` <200904241305.11036@centrum.cz>
[not found] ` <200904241306.11421@centrum.cz>
[not found] ` <200904241307.10948@centrum.cz>
[not found] ` <200904241308.31592@centrum.cz>
[not found] ` <200904241309.13171@centrum.cz>
[not found] ` <200904241310.10823@centrum.cz>
2009-04-24 11:11 ` 'ip' command should allow creation of an IPsec SA with 'proto any' and specified sport and dport as selectors Jiri Klimes
2009-04-24 11:49 ` David Miller
2009-04-24 13:15 ` Jiri Klimes
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).