[Openswan Users] Revisting old routing problem. Passthrough conns only creating "dir out" policies.

Michael H. Warfield mhw at WittsEnd.com
Mon May 11 10:04:34 EDT 2009


On Mon, 2009-05-11 at 09:53 -0400, Michael H. Warfield wrote:

	:

> 	Debugging, I saw in the code where it prints this:  "request to add a
> prospective erouted policy with netkey kernel --- experimental".  Yeah,
> ok...
> 
> 	I can see why adding the two policies works and I can understand why
> adding the single policy doesn't.

> 	Around line 2858 in programs/pluto/kernel.c I see this:

	Actually, the more I look at this area of code the more I think the
debugging prints have lead me in wrong direction.  I don't think this is
where I need to be looking at all, now.  Sigh...

	Suggestions where I should be looking at?

> ===
>         /* if no state provided, then install a shunt for later */
>         if (st == NULL)
>             eroute_installed = shunt_eroute(c, sr, RT_ROUTED_PROSPECTIVE
>                                             , ERO_ADD, "add");
>         else
>             eroute_installed = sag_eroute(st, sr, ERO_ADD, "add");
> ===
> 
> 	And, of course, shunt_eroute calls netlink_shunt_eroute here:
> 
> ===
>     if(kernel_ops->shunt_eroute) {
>         return kernel_ops->shunt_eroute(c, sr, rt_kind, op, opname);
>     }
> ===
> 	
> 	In kernel_netlink.c netlink_shunt_eroute() I see this:
> 
> ===
>    if (spi == 0)
>     {
>         /* we're supposed to end up with no eroute: rejig op and opname
> */
>         switch (op)
>         {
>         case ERO_REPLACE:
>             /* replace with nothing == delete */
>             op = ERO_DELETE;
>             opname = "delete";
>             break;
>         case ERO_ADD:
>             /* add nothing == do nothing */
>             return TRUE;
>         case ERO_DELETE:
>             /* delete remains delete */
>             break;
> 
>         case ERO_ADD_INBOUND:
>                 break;;
> 
>         case ERO_DEL_INBOUND:
>                 break;;
> ===
> 
> 	SPI = 0 case as you pointed out.
> 
> 	So ERO_ADD (return) really seems to be acting very different from
> ERO_ADD_INBOUND (break) and would seem to be only adding the "dir out"
> case (but it just returns from that function, so I'm confused - where
> did the "dir out" get added?).
> 
> 	Seems like something different should be done back in kernel.c but
> that's really scary to me since that would impact the other modes
> (klips) and that's not where I expect to plug in something that's netkey
> specific.
> 
> > Paul

	Regards,
	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20090511/46023407/attachment.bin 


More information about the Users mailing list