[Openswan Users] Revisting old routing problem. Passthrough conns only creating "dir out" policies.

Paul Wouters paul at xelerance.com
Mon May 11 10:10:08 EDT 2009 

On Mon, 11 May 2009, Michael H. Warfield wrote:

>> The problem here is that these policies list no SPI on which they
>> apply. I believe that means now that any IPsec SA can send traffic
>> with that src/dst combination, and it will be accepted by the kernel.


>> The original klips passthrough routes, since they were route based, could
>> only work for the local machine itself. Perhaps Herbert can tell us more
>> about how this would apply safely on netkey?
>
> 	I'm not sure I understand.  These are being selected by the src and dst
> selectors and applying a policy of "none" to that case, which is exactly
> what we want and I'm not sure I see the difference between this and the
> klips "route based" case, other than the fact that routes would be
> selected purely on the destination regardless of the source (which would
> be worse, would it not?).

> ===
>    if(kernel_ops->shunt_eroute) {
>        return kernel_ops->shunt_eroute(c, sr, rt_kind, op, opname);
>    }
> ===
>
> 	In kernel_netlink.c netlink_shunt_eroute() I see this:
>
> ===
>   if (spi == 0)

Oh, if that is getting a spi of 0, then I take it the code would just work
properly without the risks I mentioned above.


>    {
>        /* we're supposed to end up with no eroute: rejig op and opname
> */
>        switch (op)
>        {
>        case ERO_REPLACE:
>            /* replace with nothing == delete */
>            op = ERO_DELETE;
>            opname = "delete";
>            break;
>        case ERO_ADD:
>            /* add nothing == do nothing */
>            return TRUE;
>        case ERO_DELETE:
>            /* delete remains delete */
>            break;
>
>        case ERO_ADD_INBOUND:
>                break;;
>
>        case ERO_DEL_INBOUND:
>                break;;
> ===
>
> 	SPI = 0 case as you pointed out.
>
> 	So ERO_ADD (return) really seems to be acting very different from
> ERO_ADD_INBOUND (break) and would seem to be only adding the "dir out"
> case (but it just returns from that function, so I'm confused - where
> did the "dir out" get added?).

I'll need to look more at the code to understand wht the entire switch case
is neccessary to begin with.

Paul

More information about the Users mailing list