[Openswan dev] Patch for review.
Kirill Berezin
kyb at online.ru
Wed Jun 30 09:28:32 EDT 2010
On 30.06.2010 16:53, David McCullough wrote:
>
> Jivin Kirill Berezin lays it down ...
>> I tested this patch for AH only and esp only tunnels. I used ping to
>> test connectivity and tcpdump to make sure of low level packet
>> structure. Everything seems fine.
>>
>> The commentary and commented out code is the part of original code. I am
>> not sure about all the possible usage patterns and decided not to remove
>> original code.
>
> Sorry, your patch was backwards to what I was expecting and I misread it ;-)
Oh, that a shame, I accidently swapped directories.
>
>> The main idea of a patch is to move ident select from ipsec_xmit_send
>> procedure, the last in coding pipeline, to ipsec_xmit_ipip, where, I
>> suppose, the header is to be created.
>
> I think it looks safe enough. I'll give it a test tomorrow ;-)
This would be great.
>
> Thanks,
> Davidm
>
>> On 30.06.2010 14:52, David McCullough wrote:
>>>
>>> Jivin Kirill Berezin lays it down ...
>>>> Hi.
>>>>
>>>> I found, by chance, the AH xmit path for klips protocol stack is a bit
>>>> broken. After a small research I found the ident field for ip header is
>>>> selected after generation of a hash for a packet. According to RFC 2402
>>>> ident must be selected before generation of a hash.
>>
>>>>
>>>> A possible fix is in the attachment, I hope it will be usefull.
>>>
>>> Have you had a chance to test that patch ?
>>>
>>> It's just based on the comment, and the presense of the commented out code,
>>> I suspect it may not work. But if you have tested it then I am ok with it ;-)
>>>
>>> Cheers,
>>> Davidm
>>>
>>>> --- ./openswan-2.6.26_new/linux/net/ipsec/ipsec_xmit.c 2010-06-30 04:43:07.000000000 +0400
>>>> +++ ./openswan-2.6.26/linux/net/ipsec/ipsec_xmit.c 2010-05-26 02:36:41.000000000 +0400
>>>> @@ -976,7 +976,6 @@
>>>> ixs->newdst = (__u32)ixs->iph->daddr;
>>>> ixs->newsrc = (__u32)ixs->iph->saddr;
>>>>
>>>> - KLIPS_IP_SELECT_IDENT(ixs->iph, ixs->skb);
>>>> #ifdef NET_21
>>>> skb_set_transport_header(ixs->skb, ipsec_skb_offset(ixs->skb, ip_hdr(ixs->skb)));
>>>> #endif /* NET_21 */
>>>> @@ -2043,7 +2042,7 @@
>>>> }
>>>>
>>>> /* newer kernels require skb->dst to be set in KLIPS_IP_SELECT_IDENT */
>>>> - /* KLIPS_IP_SELECT_IDENT(ip_hdr(ixs->skb), ixs->skb); */
>>>> + KLIPS_IP_SELECT_IDENT(ip_hdr(ixs->skb), ixs->skb);
>>>>
>>>> /* fix up the checksum after changes to the header */
>>>> ip_hdr(ixs->skb)->check = 0;
>>>
>>>> _______________________________________________
>>>> Dev mailing list
>>>> Dev at openswan.org
>>>> http://lists.openswan.org/mailman/listinfo/dev
>>>
>>>
>>
>> _______________________________________________
>> Dev mailing list
>> Dev at openswan.org
>> http://lists.openswan.org/mailman/listinfo/dev
>>
>>
>
More information about the Dev
mailing list