[Openswan dev] mangled packets, ESP on mast0, after ip_select_ident() fix

David McCullough david_mccullough at mcafee.com
Tue Jul 19 01:02:09 EDT 2011 

Jivin Paul Wouters lays it down ...
> 
> I've tracked down the recent issues with protostack=mast, and found that the
> following commit seems to have badly broken the mast stack:
> 
> commit 86a5945e20ffa61936e93b52c499e06b465c4403
> Author: David McCullough <david_mccullough at mcafee.com>
> Date:   Thu Jun 2 15:26:48 2011 +1000
> 
>      Routing cache corruption due to ip_select_ident
> 
>      The comments in the code said that dst has to be set before calling
>      ip_select_ident, but dst wasn't set correctly.
> 
>      It was corrupting a private value (rt->rt6i_nfheader_len) that would then
>      result in ip6_output calculating invalid mtu/packet sizing and rejecting the
>      transmission of a packet with EMSGSIZE.
> 
>      Rework the dst settings and ip_select_ident code so that is all gets done
>      in the correct sequence.  This helps clean up the flowi code a little and
>      it is easier now to clean it up properly at some point w.r.t. IPv6.
> 
> Though I don't understand yet why this broke mast, but not klips. It also means
> we unfortunately relesed 2.6.34 with a broken mast stack. I'd like to correct
> this for 2.6.35.
> 
> To reproduce the failure, just setup a simple host-host tunnel with one
> end protostack=klips and the other end protostack=mast. Then send a ping
> while tcpdumping the mast0 interface.  You will see the ping fail and
> ESP packets on the mast0 interface.
> 
> The attached patch reverts 86a5945 basedon current head (required a little manual
> patching) and fixes the above test to work properly again.

I'm a bit confused,  does the patch below fix something to do with the
change above ?  They seem completely unrelated to me.  If thats the only
change needed to fix it then go for it ;-)

Cheers,
Davidm

> diff -r -c -N openswan-2.6.16dr1/programs/pluto/kernel_netlink.c openswan-2.6.16dr2/programs/pluto/kernel_netlink.c
> *** openswan-2.6.16dr1/programs/pluto/kernel_netlink.c	2008-07-05 01:09:01.000000000 -0400
> --- openswan-2.6.16dr2/programs/pluto/kernel_netlink.c	2008-07-06 12:31:30.000000000 -0400
> ***************
> *** 58,64 ****
>   #include <security/pam_appl.h>
>   #endif
>   
> ! const struct pfkey_proto_info null_proto_info[2];
>   
>   static const struct pfkey_proto_info broad_proto_info[2] = { 
>           {
> --- 58,64 ----
>   #include <security/pam_appl.h>
>   #endif
>   
> ! extern const struct pfkey_proto_info null_proto_info[2];
>   
>   static const struct pfkey_proto_info broad_proto_info[2] = { 
>           {
> diff -r -c -N openswan-2.6.16dr1/programs/pluto/kernel_pfkey.c openswan-2.6.16dr2/programs/pluto/kernel_pfkey.c
> *** openswan-2.6.16dr1/programs/pluto/kernel_pfkey.c	2008-07-05 01:09:01.000000000 -0400
> --- openswan-2.6.16dr2/programs/pluto/kernel_pfkey.c	2008-07-06 12:31:30.000000000 -0400
> ***************
> *** 74,80 ****
>    */
>   struct eroute_info *orphaned_holds = NULL;
>   
> ! const struct pfkey_proto_info null_proto_info[2];
>   
>   static pid_t pid;
>   
> --- 74,80 ----
>    */
>   struct eroute_info *orphaned_holds = NULL;
>   
> ! extern const struct pfkey_proto_info null_proto_info[2];
>   
>   static pid_t pid;
>   


-- 
David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org

More information about the Dev mailing list