[Openswan dev] Patch for review.

David McCullough david_mccullough at mcafee.com
Wed Jun 30 08:53:49 EDT 2010 

Jivin Kirill Berezin lays it down ...
> I tested this patch for AH only and esp only tunnels. I used ping to 
> test connectivity and tcpdump to make sure of low level packet 
> structure. Everything seems fine.
> 
> The commentary and commented out code is the part of original code. I am 
> not sure about all the possible usage patterns and decided not to remove 
> original code.

Sorry,  your patch was backwards to what I was expecting and I misread it ;-)

> The main idea of a patch is to move ident select from ipsec_xmit_send 
> procedure, the last in coding pipeline, to ipsec_xmit_ipip, where, I 
> suppose, the header is to be created.

I think it looks safe enough. I'll give it a test tomorrow ;-)

Thanks,
Davidm

> On 30.06.2010 14:52, David McCullough wrote:
> >
> > Jivin Kirill Berezin lays it down ...
> >> Hi.
> >>
> >> I found,  by chance, the AH xmit path for klips protocol stack is a bit
> >> broken. After a small research I found the ident field for ip header is
> >> selected after generation of a hash for a packet. According to RFC 2402
> >> ident must be selected before generation of a hash.
> 
> >>
> >> A possible fix is in the attachment, I hope it will be usefull.
> >
> > Have you had a chance to test that patch ?
> >
> > It's just based on the comment,  and the presense of the commented out code,
> > I suspect it may not work.  But if you have tested it then I am ok with it ;-)
> >
> > Cheers,
> > Davidm
> >
> >> --- ./openswan-2.6.26_new/linux/net/ipsec/ipsec_xmit.c	2010-06-30 04:43:07.000000000 +0400
> >> +++ ./openswan-2.6.26/linux/net/ipsec/ipsec_xmit.c	2010-05-26 02:36:41.000000000 +0400
> >> @@ -976,7 +976,6 @@
> >>   	ixs->newdst = (__u32)ixs->iph->daddr;
> >>   	ixs->newsrc = (__u32)ixs->iph->saddr;
> >>   	
> >> -	KLIPS_IP_SELECT_IDENT(ixs->iph, ixs->skb);
> >>   #ifdef NET_21
> >>   	skb_set_transport_header(ixs->skb, ipsec_skb_offset(ixs->skb, ip_hdr(ixs->skb)));
> >>   #endif /* NET_21 */
> >> @@ -2043,7 +2042,7 @@
> >>   	}
> >>
> >>   	/* newer kernels require skb->dst to be set in KLIPS_IP_SELECT_IDENT */
> >> -	/* KLIPS_IP_SELECT_IDENT(ip_hdr(ixs->skb), ixs->skb); */
> >> +	KLIPS_IP_SELECT_IDENT(ip_hdr(ixs->skb), ixs->skb);
> >>
> >>   	/* fix up the checksum after changes to the header */
> >>   	ip_hdr(ixs->skb)->check = 0;
> >
> >> _______________________________________________
> >> Dev mailing list
> >> Dev at openswan.org
> >> http://lists.openswan.org/mailman/listinfo/dev
> >
> >
> 
> _______________________________________________
> Dev mailing list
> Dev at openswan.org
> http://lists.openswan.org/mailman/listinfo/dev
> 
> 

-- 
David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org

More information about the Dev mailing list