[Openswan dev] Patch for review.

Kirill Berezin kyb at online.ru
Wed Jun 30 09:28:32 EDT 2010 

On 30.06.2010 16:53, David McCullough wrote:
>
> Jivin Kirill Berezin lays it down ...
>> I tested this patch for AH only and esp only tunnels. I used ping to
>> test connectivity and tcpdump to make sure of low level packet
>> structure. Everything seems fine.
>>
>> The commentary and commented out code is the part of original code. I am
>> not sure about all the possible usage patterns and decided not to remove
>> original code.
>
> Sorry,  your patch was backwards to what I was expecting and I misread it ;-)

Oh, that a shame, I accidently swapped directories.

>
>> The main idea of a patch is to move ident select from ipsec_xmit_send
>> procedure, the last in coding pipeline, to ipsec_xmit_ipip, where, I
>> suppose, the header is to be created.
>
> I think it looks safe enough. I'll give it a test tomorrow ;-)

This would be great.

>
> Thanks,
> Davidm
>
>> On 30.06.2010 14:52, David McCullough wrote:
>>>
>>> Jivin Kirill Berezin lays it down ...
>>>> Hi.
>>>>
>>>> I found,  by chance, the AH xmit path for klips protocol stack is a bit
>>>> broken. After a small research I found the ident field for ip header is
>>>> selected after generation of a hash for a packet. According to RFC 2402
>>>> ident must be selected before generation of a hash.
>>
>>>>
>>>> A possible fix is in the attachment, I hope it will be usefull.
>>>
>>> Have you had a chance to test that patch ?
>>>
>>> It's just based on the comment,  and the presense of the commented out code,
>>> I suspect it may not work.  But if you have tested it then I am ok with it ;-)
>>>
>>> Cheers,
>>> Davidm
>>>
>>>> --- ./openswan-2.6.26_new/linux/net/ipsec/ipsec_xmit.c	2010-06-30 04:43:07.000000000 +0400
>>>> +++ ./openswan-2.6.26/linux/net/ipsec/ipsec_xmit.c	2010-05-26 02:36:41.000000000 +0400
>>>> @@ -976,7 +976,6 @@
>>>>    	ixs->newdst = (__u32)ixs->iph->daddr;
>>>>    	ixs->newsrc = (__u32)ixs->iph->saddr;
>>>>    	
>>>> -	KLIPS_IP_SELECT_IDENT(ixs->iph, ixs->skb);
>>>>    #ifdef NET_21
>>>>    	skb_set_transport_header(ixs->skb, ipsec_skb_offset(ixs->skb, ip_hdr(ixs->skb)));
>>>>    #endif /* NET_21 */
>>>> @@ -2043,7 +2042,7 @@
>>>>    	}
>>>>
>>>>    	/* newer kernels require skb->dst to be set in KLIPS_IP_SELECT_IDENT */
>>>> -	/* KLIPS_IP_SELECT_IDENT(ip_hdr(ixs->skb), ixs->skb); */
>>>> +	KLIPS_IP_SELECT_IDENT(ip_hdr(ixs->skb), ixs->skb);
>>>>
>>>>    	/* fix up the checksum after changes to the header */
>>>>    	ip_hdr(ixs->skb)->check = 0;
>>>
>>>> _______________________________________________
>>>> Dev mailing list
>>>> Dev at openswan.org
>>>> http://lists.openswan.org/mailman/listinfo/dev
>>>
>>>
>>
>> _______________________________________________
>> Dev mailing list
>> Dev at openswan.org
>> http://lists.openswan.org/mailman/listinfo/dev
>>
>>
>

More information about the Dev mailing list