[Openswan dev] Trying to bugfix klips issue with kernel 2.6.35 and newer

Andreas Herz andi at geekosphere.org
Tue Jun 26 05:49:32 EDT 2012 

Hi,

i already reported that issue at the IRC channel and now want to patch
it with your help. With kernel 2.6.35 they introduced the function
skb_orphan_try() in net/core/dev.c that calls skb_orphan when the sk is
set and no tx_flags. This change resulted in the following bug with
openswan (tested with 2.6.36 and 2.6.38 release):

We use KLIPS and authentication by CA. The first problem was that the
packet with the certificate was bigger then 1400 and got fragmented. The
second part of the paket couldn't go through cause the source port was
not found.
At "klips_debug:ipsec_xmit_SAlookup:" the sport was = 0 instead of 500
and when i put more debug information into klips_debug i saw that the
skb->sk was never set and so the udphdr was used for the first part
to detect the sport but that didn't work for the second part of the
packet (udphdr is null).
One workaround was to set override_mtu to 1560 or higher to get the
packet through without fragmentation. Then there was a 30 second delay
between "STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=aes_128 prf=oakley_sha group=modp2048}" and "initiating Quick
Mode RSASIG+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK to replace #50
{using isakmp#56 msgid:31cc42e0 proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}".

What i found out that the problem is that skb->sk is not set in
ipsec_tunnel.c when checked via "if(ixs->skb->sk)" in the
"ipsec_tunnel_SAlookup" function. The reason i found is the new function
skb_orphan_try that calls skb_orphan that flushes the skb->sk to NULL.
If i remove the skb_orphan_try function in net/core/dev.c everything is
working as expected.

What i'm asking now is, could you tell me if this is a kernel bug or
could it be fixed within openswan. The only solution to prevent the
skb_orphan_try function to execute skb_orphan is to set the tx_flags,
because the check is:

if (sk && !skb_shinfo(skb)->tx_flags)

And we need the sk so only setting skb_shinfo(skb)->tx_flags to some
value would help. Is this an option for openswan to set this flags at
some place?

Greetings

-- 
Andreas Herz

More information about the Dev mailing list