[Openswan Users]

Gary W. Smith gary at primeexalia.com
Sat Apr 23 15:03:20 CEST 2005 

I usually start off with saying "I'm really rusty at c/c++ but between
pptp, openswan and iptables I've had to get back into the mix of things.
Anyways, here is the patch that I used for RHEL 4 (which RH has since
back ported for their next update - according to the email they send me
on their bugzilla).

Since I put this patch in place on the kernel I haven't had a single
problem with openswan (less the issue with getting psk and greenbow to
play together).  In fact, the whole thing is working pretty sweat... 

As for the patch I think I originally found it in some mail archive (so
don't give me credit for it as it was just a cut, paste, compile and
test scenario...)


diff -urN linux-2.6.9.orig/net/ipv4/xfrm4_output.c
linux-2.6.9/net/ipv4/xfrm4_output.c
--- linux-2.6.9.orig/net/ipv4/xfrm4_output.c	2004-10-18
14:53:44.000000000 -0700
+++ linux-2.6.9/net/ipv4/xfrm4_output.c	2005-04-10 10:25:47.000000000
-0700
@@ -105,17 +105,17 @@
 			goto error_nolock;
 	}
 
-	spin_lock_bh(&x->lock);
-	err = xfrm_state_check(x, skb);
-	if (err)
-		goto error;
-
 	if (x->props.mode) {
 		err = xfrm4_tunnel_check_size(skb);
 		if (err)
-			goto error;
+			goto error_nolock;
 	}
 
+	spin_lock_bh(&x->lock);
+	err = xfrm_state_check(x, skb);
+	if (err)
+		goto error;
+
 	xfrm4_encap(skb);
 
 	err = x->type->output(skb);
diff -urN linux-2.6.9.orig/net/ipv6/xfrm6_output.c
linux-2.6.9/net/ipv6/xfrm6_output.c
--- linux-2.6.9.orig/net/ipv6/xfrm6_output.c	2005-04-10
10:22:18.000000000 -0700
+++ linux-2.6.9/net/ipv6/xfrm6_output.c	2005-04-10 10:27:12.000000000
-0700
@@ -105,17 +105,17 @@
 			goto error_nolock;
 	}
 
-	spin_lock_bh(&x->lock);
-	err = xfrm_state_check(x, skb);
-	if (err)
-		goto error;
-
 	if (x->props.mode) {
 		err = xfrm6_tunnel_check_size(skb);
 		if (err)
-			goto error;
+			goto error_nolock;
 	}
 
+	spin_lock_bh(&x->lock);
+	err = xfrm_state_check(x, skb);
+	if (err)
+		goto error;
+
 	xfrm6_encap(skb);
 
 	err = x->type->output(skb);



-------------- next part --------------
A non-text attachment was scrubbed...
Name: linux-2.6.9-ipsec-spinlock.patch
Type: application/octet-stream
Size: 1338 bytes
Desc: linux-2.6.9-ipsec-spinlock.patch
Url : http://lists.openswan.org/pipermail/users/attachments/20050423/edbc4445/linux-2.6.9-ipsec-spinlock.obj

More information about the Users mailing list