[Openswan dev] Patch for review.
Kirill Berezin
kyb at online.ru
Wed Jun 30 07:57:58 EDT 2010
I tested this patch for AH only and esp only tunnels. I used ping to
test connectivity and tcpdump to make sure of low level packet
structure. Everything seems fine.
The commentary and commented out code is the part of original code. I am
not sure about all the possible usage patterns and decided not to remove
original code.
The main idea of a patch is to move ident select from ipsec_xmit_send
procedure, the last in coding pipeline, to ipsec_xmit_ipip, where, I
suppose, the header is to be created.
kirill
On 30.06.2010 14:52, David McCullough wrote:
>
> Jivin Kirill Berezin lays it down ...
>> Hi.
>>
>> I found, by chance, the AH xmit path for klips protocol stack is a bit
>> broken. After a small research I found the ident field for ip header is
>> selected after generation of a hash for a packet. According to RFC 2402
>> ident must be selected before generation of a hash.
>>
>> A possible fix is in the attachment, I hope it will be usefull.
>
> Have you had a chance to test that patch ?
>
> It's just based on the comment, and the presense of the commented out code,
> I suspect it may not work. But if you have tested it then I am ok with it ;-)
>
> Cheers,
> Davidm
>
>> --- ./openswan-2.6.26_new/linux/net/ipsec/ipsec_xmit.c 2010-06-30 04:43:07.000000000 +0400
>> +++ ./openswan-2.6.26/linux/net/ipsec/ipsec_xmit.c 2010-05-26 02:36:41.000000000 +0400
>> @@ -976,7 +976,6 @@
>> ixs->newdst = (__u32)ixs->iph->daddr;
>> ixs->newsrc = (__u32)ixs->iph->saddr;
>>
>> - KLIPS_IP_SELECT_IDENT(ixs->iph, ixs->skb);
>> #ifdef NET_21
>> skb_set_transport_header(ixs->skb, ipsec_skb_offset(ixs->skb, ip_hdr(ixs->skb)));
>> #endif /* NET_21 */
>> @@ -2043,7 +2042,7 @@
>> }
>>
>> /* newer kernels require skb->dst to be set in KLIPS_IP_SELECT_IDENT */
>> - /* KLIPS_IP_SELECT_IDENT(ip_hdr(ixs->skb), ixs->skb); */
>> + KLIPS_IP_SELECT_IDENT(ip_hdr(ixs->skb), ixs->skb);
>>
>> /* fix up the checksum after changes to the header */
>> ip_hdr(ixs->skb)->check = 0;
>
>> _______________________________________________
>> Dev mailing list
>> Dev at openswan.org
>> http://lists.openswan.org/mailman/listinfo/dev
>
>
More information about the Dev
mailing list