[Openswan dev] mangled packets, ESP on mast0, after ip_select_ident() fix

Paul Wouters paul at xelerance.com
Tue Jul 19 00:06:43 EDT 2011 

I've tracked down the recent issues with protostack=mast, and found that the
following commit seems to have badly broken the mast stack:

commit 86a5945e20ffa61936e93b52c499e06b465c4403
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Jun 2 15:26:48 2011 +1000

     Routing cache corruption due to ip_select_ident

     The comments in the code said that dst has to be set before calling
     ip_select_ident, but dst wasn't set correctly.

     It was corrupting a private value (rt->rt6i_nfheader_len) that would then
     result in ip6_output calculating invalid mtu/packet sizing and rejecting the
     transmission of a packet with EMSGSIZE.

     Rework the dst settings and ip_select_ident code so that is all gets done
     in the correct sequence.  This helps clean up the flowi code a little and
     it is easier now to clean it up properly at some point w.r.t. IPv6.

Though I don't understand yet why this broke mast, but not klips. It also means
we unfortunately relesed 2.6.34 with a broken mast stack. I'd like to correct
this for 2.6.35.

To reproduce the failure, just setup a simple host-host tunnel with one
end protostack=klips and the other end protostack=mast. Then send a ping
while tcpdumping the mast0 interface.  You will see the ping fail and
ESP packets on the mast0 interface.

The attached patch reverts 86a5945 basedon current head (required a little manual
patching) and fixes the above test to work properly again.

Paul
-------------- next part --------------
diff -r -c -N openswan-2.6.16dr1/programs/pluto/kernel_netlink.c openswan-2.6.16dr2/programs/pluto/kernel_netlink.c
*** openswan-2.6.16dr1/programs/pluto/kernel_netlink.c	2008-07-05 01:09:01.000000000 -0400
--- openswan-2.6.16dr2/programs/pluto/kernel_netlink.c	2008-07-06 12:31:30.000000000 -0400
***************
*** 58,64 ****
  #include <security/pam_appl.h>
  #endif
  
! const struct pfkey_proto_info null_proto_info[2];
  
  static const struct pfkey_proto_info broad_proto_info[2] = { 
          {
--- 58,64 ----
  #include <security/pam_appl.h>
  #endif
  
! extern const struct pfkey_proto_info null_proto_info[2];
  
  static const struct pfkey_proto_info broad_proto_info[2] = { 
          {
diff -r -c -N openswan-2.6.16dr1/programs/pluto/kernel_pfkey.c openswan-2.6.16dr2/programs/pluto/kernel_pfkey.c
*** openswan-2.6.16dr1/programs/pluto/kernel_pfkey.c	2008-07-05 01:09:01.000000000 -0400
--- openswan-2.6.16dr2/programs/pluto/kernel_pfkey.c	2008-07-06 12:31:30.000000000 -0400
***************
*** 74,80 ****
   */
  struct eroute_info *orphaned_holds = NULL;
  
! const struct pfkey_proto_info null_proto_info[2];
  
  static pid_t pid;
  
--- 74,80 ----
   */
  struct eroute_info *orphaned_holds = NULL;
  
! extern const struct pfkey_proto_info null_proto_info[2];
  
  static pid_t pid;

More information about the Dev mailing list