[PATCH] sctp: IPsec rules are ineffective with ipv6

[PATCH] sctp: IPsec rules are ineffective with ipv6

[Nicolas Dichtel]

[-- Attachment #1: Type: text/plain, Size: 165 bytes --]

xfrm_lookup() is missing in sctp_v6_xmit(), add it.

Signed-off-by: Junwei Zhang <junwei.zhang@6wind.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>

[-- Attachment #2: x.diff --]
[-- Type: text/x-diff, Size: 708 bytes --]

diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index cc50fbe..f24e23c 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -197,8 +197,10 @@ out:
 static int sctp_v6_xmit(struct sk_buff *skb, struct sctp_transport *transport)
 {
 	struct sock *sk = skb->sk;
+	struct dst_entry *dst = skb_dst(skb);
 	struct ipv6_pinfo *np = inet6_sk(sk);
 	struct flowi fl;
+	int err;
 
 	memset(&fl, 0, sizeof(fl));
 
@@ -231,6 +233,9 @@ static int sctp_v6_xmit(struct sk_buff *skb, struct sctp_transport *transport)
 	if (!(transport->param_flags & SPP_PMTUD_ENABLE))
 		skb->local_df = 1;
 
+	if ((err = xfrm_lookup(sock_net(sk), &dst, &fl, sk, 0)) < 0)
+		return err;
+
 	return ip6_xmit(sk, skb, &fl, np->opt, 0);
 }
 

Re: [PATCH] sctp: IPsec rules are ineffective with ipv6

[David Miller]

From: Nicolas Dichtel <nicolas.dichtel@dev.6wind.com>
Date: Wed, 27 Jan 2010 15:12:59 +0100

> xfrm_lookup() is missing in sctp_v6_xmit(), add it.
> 
> Signed-off-by: Junwei Zhang <junwei.zhang@6wind.com>
> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>

Doing this every transmit packet is overkill.

Whatever calculates the route that ends up in skb_dst(skb)
should be making this xfrm_lookup() call, not here.

Re: [PATCH] sctp: IPsec rules are ineffective with ipv6

[Vlad Yasevich]

David Miller wrote:
> From: Nicolas Dichtel <nicolas.dichtel@dev.6wind.com>
> Date: Wed, 27 Jan 2010 15:12:59 +0100
> 
>> xfrm_lookup() is missing in sctp_v6_xmit(), add it.
>>
>> Signed-off-by: Junwei Zhang <junwei.zhang@6wind.com>
>> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
> 
> Doing this every transmit packet is overkill.
> 
> Whatever calculates the route that ends up in skb_dst(skb)
> should be making this xfrm_lookup() call, not here.
> 


Hmm.. Interesting.  Looks like ip_route_output_key() will
do xfrm_lookup for you, but there is no ipv6 route lookup call
that will do the same thing.

I guess we'll need to add an xfrm_lookup call in sctp_v6_get_dst().

-vlad

Re: [PATCH] sctp: IPsec rules are ineffective with ipv6

[Nicolas Dichtel]

[-- Attachment #1: Type: text/plain, Size: 1019 bytes --]

What about this one?

Only compilation tested.

xfrm_lookup() is missing in IPv6 output path. Call it when dst is build. Initial 
patch was written by Junwei Zhang <junwei.zhang@6wind.com>

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>

Le 28.01.2010 16:24, Vlad Yasevich a écrit :
> 
> David Miller wrote:
>> From: Nicolas Dichtel <nicolas.dichtel@dev.6wind.com>
>> Date: Wed, 27 Jan 2010 15:12:59 +0100
>>
>>> xfrm_lookup() is missing in sctp_v6_xmit(), add it.
>>>
>>> Signed-off-by: Junwei Zhang <junwei.zhang@6wind.com>
>>> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
>> Doing this every transmit packet is overkill.
>>
>> Whatever calculates the route that ends up in skb_dst(skb)
>> should be making this xfrm_lookup() call, not here.
>>
> 
> 
> Hmm.. Interesting.  Looks like ip_route_output_key() will
> do xfrm_lookup for you, but there is no ipv6 route lookup call
> that will do the same thing.
> 
> I guess we'll need to add an xfrm_lookup call in sctp_v6_get_dst().
> 
> -vlad

[-- Attachment #2: x2.diff --]
[-- Type: text/x-diff, Size: 810 bytes --]

diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index cc50fbe..4081ffb 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -258,13 +258,14 @@ static struct dst_entry *sctp_v6_get_dst(struct sctp_association *asoc,
 	}
 
 	dst = ip6_route_output(&init_net, NULL, &fl);
-	if (!dst->error) {
-		struct rt6_info *rt;
-		rt = (struct rt6_info *)dst;
-		SCTP_DEBUG_PRINTK("rt6_dst:%pI6 rt6_src:%pI6\n",
-			&rt->rt6i_dst.addr, &rt->rt6i_src.addr);
-		return dst;
-	}
+	if (!dst->error)
+		if (xfrm_lookup(&init_net, &dst, &fl, asoc ? asoc->base.sk : NULL, 0) >= 0) {
+			struct rt6_info *rt;
+			rt = (struct rt6_info *)dst;
+			SCTP_DEBUG_PRINTK("rt6_dst:%pI6 rt6_src:%pI6\n",
+				&rt->rt6i_dst.addr, &rt->rt6i_src.addr);
+			return dst;
+		}
 	SCTP_DEBUG_PRINTK("NO ROUTE\n");
 	dst_release(dst);
 	return NULL;

Re: [PATCH] sctp: IPsec rules are ineffective with ipv6

[Vlad Yasevich]

Nicolas Dichtel wrote:
> What about this one?
> 
> Only compilation tested.
> 
> xfrm_lookup() is missing in IPv6 output path. Call it when dst is build.
> Initial patch was written by Junwei Zhang <junwei.zhang@6wind.com>
> 
> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>

Looks like it might do the right thing.  Please run your tests
on this an let me.

Thanks
-vlad

> 
> Le 28.01.2010 16:24, Vlad Yasevich a écrit :
>>
>> David Miller wrote:
>>> From: Nicolas Dichtel <nicolas.dichtel@dev.6wind.com>
>>> Date: Wed, 27 Jan 2010 15:12:59 +0100
>>>
>>>> xfrm_lookup() is missing in sctp_v6_xmit(), add it.
>>>>
>>>> Signed-off-by: Junwei Zhang <junwei.zhang@6wind.com>
>>>> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
>>> Doing this every transmit packet is overkill.
>>>
>>> Whatever calculates the route that ends up in skb_dst(skb)
>>> should be making this xfrm_lookup() call, not here.
>>>
>>
>>
>> Hmm.. Interesting.  Looks like ip_route_output_key() will
>> do xfrm_lookup for you, but there is no ipv6 route lookup call
>> that will do the same thing.
>>
>> I guess we'll need to add an xfrm_lookup call in sctp_v6_get_dst().
>>
>> -vlad

Re: [PATCH] sctp: IPsec rules are ineffective with ipv6

[Nicolas Dichtel]

Hmm, seems to not work.
Problem is that we may have a NULL saddr in sctp_v6_get_dst().
What about adding a new handler in struct sctp_af, like get_xfrm_dst() that will 
be called after get_saddr()? In case of IPv4, it will not do anything.


Regards,
Nicolas

Le 28.01.2010 17:36, Vlad Yasevich a écrit :
> 
> Nicolas Dichtel wrote:
>> What about this one?
>>
>> Only compilation tested.
>>
>> xfrm_lookup() is missing in IPv6 output path. Call it when dst is build.
>> Initial patch was written by Junwei Zhang <junwei.zhang@6wind.com>
>>
>> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
> 
> Looks like it might do the right thing.  Please run your tests
> on this an let me.
> 
> Thanks
> -vlad
> 
>> Le 28.01.2010 16:24, Vlad Yasevich a écrit :
>>> David Miller wrote:
>>>> From: Nicolas Dichtel <nicolas.dichtel@dev.6wind.com>
>>>> Date: Wed, 27 Jan 2010 15:12:59 +0100
>>>>
>>>>> xfrm_lookup() is missing in sctp_v6_xmit(), add it.
>>>>>
>>>>> Signed-off-by: Junwei Zhang <junwei.zhang@6wind.com>
>>>>> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
>>>> Doing this every transmit packet is overkill.
>>>>
>>>> Whatever calculates the route that ends up in skb_dst(skb)
>>>> should be making this xfrm_lookup() call, not here.
>>>>
>>>
>>> Hmm.. Interesting.  Looks like ip_route_output_key() will
>>> do xfrm_lookup for you, but there is no ipv6 route lookup call
>>> that will do the same thing.
>>>
>>> I guess we'll need to add an xfrm_lookup call in sctp_v6_get_dst().
>>>
>>> -vlad
> 
> 

Re: [PATCH] sctp: IPsec rules are ineffective with ipv6

[Wei Yongjun]

Nicolas Dichtel wrote:
> Hmm, seems to not work.
> Problem is that we may have a NULL saddr in sctp_v6_get_dst().
> What about adding a new handler in struct sctp_af, like get_xfrm_dst()
> that will be called after get_saddr()? In case of IPv4, it will not do
> anything.

This would work for transmit SCTP packet under IPSEC, the
problem is that we can not get the correct PMTU for the
transport.Under IPv4, both transmit and the PMTU is correct.

>
>
> Regards,
> Nicolas
>
> Le 28.01.2010 17:36, Vlad Yasevich a écrit :
>>
>> Nicolas Dichtel wrote:
>>> What about this one?
>>>
>>> Only compilation tested.
>>>
>>> xfrm_lookup() is missing in IPv6 output path. Call it when dst is
>>> build.
>>> Initial patch was written by Junwei Zhang <junwei.zhang@6wind.com>
>>>
>>> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
>>
>> Looks like it might do the right thing.  Please run your tests
>> on this an let me.
>>
>> Thanks
>> -vlad
>>
>>> Le 28.01.2010 16:24, Vlad Yasevich a écrit :
>>>> David Miller wrote:
>>>>> From: Nicolas Dichtel <nicolas.dichtel@dev.6wind.com>
>>>>> Date: Wed, 27 Jan 2010 15:12:59 +0100
>>>>>
>>>>>> xfrm_lookup() is missing in sctp_v6_xmit(), add it.
>>>>>>
>>>>>> Signed-off-by: Junwei Zhang <junwei.zhang@6wind.com>
>>>>>> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
>>>>> Doing this every transmit packet is overkill.
>>>>>
>>>>> Whatever calculates the route that ends up in skb_dst(skb)
>>>>> should be making this xfrm_lookup() call, not here.
>>>>>
>>>>
>>>> Hmm.. Interesting.  Looks like ip_route_output_key() will
>>>> do xfrm_lookup for you, but there is no ipv6 route lookup call
>>>> that will do the same thing.
>>>>
>>>> I guess we'll need to add an xfrm_lookup call in sctp_v6_get_dst().
>>>>
>>>> -vlad
>>
>>
> -- 
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>