From: Patrick McHardy <kaber@trash.net>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@redhat.com>,
netdev@oss.sgi.com, ipsec-tools-devel@lists.sourceforge.net
Subject: Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward
Date: Mon, 18 Oct 2004 00:26:51 +0200 [thread overview]
Message-ID: <4172F1AB.4020305@trash.net> (raw)
In-Reply-To: <20041017212317.GA28615@gondor.apana.org.au>
[-- Attachment #1: Type: text/plain, Size: 991 bytes --]
Herbert Xu wrote:
>On Sun, Oct 17, 2004 at 05:48:11PM +0200, Patrick McHardy wrote:
>
>
>>currently forwarded packets from a tunnel mode SA are checked
>>in ip_forward/ip6_forward against the XFRM_POLICY_FWD policy
>>list. Neither racoon nor pluto generate a policy for
>>IPSEC_DIR_FWD, so the checks are performed against an empty
>>
>>
>
>Actually I made damn sure that pluto does generate rules for
>IPSEC_DIR_FWD after discussing it with Alexey :) Search for
>XFRM_POLICY_FWD in openswan/programs/pluto.
>
>
Thanks, I didn't know pluto uses the xfrm_user interface, so
I only looked for pfkey symbolic names. So it seems only racoon
needs to be fixed. I think we should apply the attached patch
to make xfrm_policy_check reject packets decapsulated by IPsec
without a policy for this direction, so people will notice
something is wrong. It also prevents skipping checks against the
socket policy if there is an empty policy list .. or am I missing
something ?
Regards
Patrick
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 1257 bytes --]
# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
# 2004/10/18 00:09:08+02:00 kaber@coreworks.de
# [XFRM]: Fix invalid optimization in xfrm_policy_check
#
# By skipping policy checks when the policy list is empty we
# allow packets decapsulated by IPsec without a policy and
# miss checking against socket policies.
#
# Signed-off-by: Patrick McHardy <kaber@trash.net>
#
# include/net/xfrm.h
# 2004/10/18 00:08:14+02:00 kaber@coreworks.de +1 -1
# [XFRM]: Fix invalid optimization in xfrm_policy_check
#
# By skipping policy checks when the policy list is empty we
# allow packets decapsulated by IPsec without a policy and
# miss checking against socket policies.
#
# Signed-off-by: Patrick McHardy <kaber@trash.net>
#
diff -Nru a/include/net/xfrm.h b/include/net/xfrm.h
--- a/include/net/xfrm.h 2004-10-18 00:15:18 +02:00
+++ b/include/net/xfrm.h 2004-10-18 00:15:18 +02:00
@@ -601,7 +601,7 @@
if (sk && sk->sk_policy[XFRM_POLICY_IN])
return __xfrm_policy_check(sk, dir, skb, family);
- return !xfrm_policy_list[dir] ||
+ return ((!sk || !sk->sk_policy[dir]) && !xfrm_policy_list[dir] && !skb->sp) ||
(skb->dst->flags & DST_NOPOLICY) ||
__xfrm_policy_check(sk, dir, skb, family);
}
next prev parent reply other threads:[~2004-10-17 22:26 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-17 15:48 [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward Patrick McHardy
2004-10-17 21:23 ` Herbert Xu
2004-10-17 22:26 ` Patrick McHardy [this message]
2004-10-17 22:42 ` Patrick McHardy
2004-10-17 23:12 ` Herbert Xu
2004-10-18 20:34 ` Patrick McHardy
2004-10-18 21:43 ` [XFRM] Allow transport SAs even when there is no policy Herbert Xu
2004-10-19 14:16 ` Patrick McHardy
2004-10-19 21:25 ` Herbert Xu
2004-10-21 5:04 ` David S. Miller
2004-10-21 5:02 ` David S. Miller
2004-10-19 15:31 ` [Ipsec-tools-devel] Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward Aidas Kasparas
2004-10-19 15:38 ` Patrick McHardy
2004-10-19 15:57 ` Aidas Kasparas
2004-10-19 21:26 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4172F1AB.4020305@trash.net \
--to=kaber@trash.net \
--cc=davem@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=ipsec-tools-devel@lists.sourceforge.net \
--cc=netdev@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).