Hi,
While working with openswan 2.4.9 on kernel 2.6.22.7 I found a bug in file sysctl_net_ipsec.c.
The initialization of ipsec_table is improper for newer kernel versions since ctl_table structure was updated.
The 7th parameter which refer to *parent was initialized mistakenly with *proc_handler as it was in older kernel versions.
As a result ipsec proc entries under /proc/sys/net/ipsec were created as directories instead of files which led to improper behavior of openswan.
Patch attached - the patch is only for newer kernel versions.Ofcourse it should be updated for backward compatibility.
Regards,
Eran Ben-Avi
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--- linux/net/ipsec/sysctl_net_ipsec.c 2004-07-10 17:11:18.000000000 -0200
+++ ../openswan-2.4.9_a/linux/net/ipsec/sysctl_net_ipsec.c 2007-11-06 11:13:13.000000000 -0200
@@ -74,45 +74,45 @@
static ctl_table ipsec_table[] = {
#ifdef CONFIG_KLIPS_DEBUG
{ NET_IPSEC_DEBUG_AH, "debug_ah", &debug_ah,
- sizeof(int), 0644, NULL, &proc_dointvec},
+ sizeof(int), 0644, NULL, NULL, &proc_dointvec},
{ NET_IPSEC_DEBUG_ESP, "debug_esp", &debug_esp,
- sizeof(int), 0644, NULL, &proc_dointvec},
+ sizeof(int), 0644, NULL, NULL, &proc_dointvec},
{ NET_IPSEC_DEBUG_TUNNEL, "debug_tunnel", &debug_tunnel,
- sizeof(int), 0644, NULL, &proc_dointvec},
+ sizeof(int), 0644, NULL, NULL, &proc_dointvec},
{ NET_IPSEC_DEBUG_EROUTE, "debug_eroute", &debug_eroute,
- sizeof(int), 0644, NULL, &proc_dointvec},
+ sizeof(int), 0644, NULL, NULL, &proc_dointvec},
{ NET_IPSEC_DEBUG_SPI, "debug_spi", &debug_spi,
- sizeof(int), 0644, NULL, &proc_dointvec},
+ sizeof(int), 0644, NULL, NULL, &proc_dointvec},
{ NET_IPSEC_DEBUG_RADIJ, "debug_radij", &debug_radij,
- sizeof(int), 0644, NULL, &proc_dointvec},
+ sizeof(int), 0644, NULL, NULL, &proc_dointvec},
{ NET_IPSEC_DEBUG_NETLINK, "debug_netlink", &debug_netlink,
- sizeof(int), 0644, NULL, &proc_dointvec},
+ sizeof(int), 0644, NULL, NULL, &proc_dointvec},
{ NET_IPSEC_DEBUG_XFORM, "debug_xform", &debug_xform,
- sizeof(int), 0644, NULL, &proc_dointvec},
+ sizeof(int), 0644, NULL, NULL, &proc_dointvec},
{ NET_IPSEC_DEBUG_RCV, "debug_rcv", &debug_rcv,
- sizeof(int), 0644, NULL, &proc_dointvec},
+ sizeof(int), 0644, NULL, NULL, &proc_dointvec},
{ NET_IPSEC_DEBUG_PFKEY, "debug_pfkey", &debug_pfkey,
- sizeof(int), 0644, NULL, &proc_dointvec},
+ sizeof(int), 0644, NULL, NULL, &proc_dointvec},
{ NET_IPSEC_DEBUG_VERBOSE, "debug_verbose",&sysctl_ipsec_debug_verbose,
- sizeof(int), 0644, NULL, &proc_dointvec},
+ sizeof(int), 0644, NULL, NULL, &proc_dointvec},
#ifdef CONFIG_KLIPS_IPCOMP
{ NET_IPSEC_DEBUG_IPCOMP, "debug_ipcomp", &sysctl_ipsec_debug_ipcomp,
- sizeof(int), 0644, NULL, &proc_dointvec},
+ sizeof(int), 0644, NULL, NULL, &proc_dointvec},
#endif /* CONFIG_KLIPS_IPCOMP */
#ifdef CONFIG_KLIPS_REGRESS
{ NET_IPSEC_REGRESS_PFKEY_LOSSAGE, "pfkey_lossage",
&sysctl_ipsec_regress_pfkey_lossage,
- sizeof(int), 0644, NULL, &proc_dointvec},
+ sizeof(int), 0644, NULL, NULL, &proc_dointvec},
#endif /* CONFIG_KLIPS_REGRESS */
#endif /* CONFIG_KLIPS_DEBUG */
{ NET_IPSEC_ICMP, "icmp", &sysctl_ipsec_icmp,
- sizeof(int), 0644, NULL, &proc_dointvec},
+ sizeof(int), 0644, NULL, NULL, &proc_dointvec},
{ NET_IPSEC_INBOUND_POLICY_CHECK, "inbound_policy_check", &sysctl_ipsec_inbound_policy_check,
- sizeof(int), 0644, NULL, &proc_dointvec},
+ sizeof(int), 0644, NULL, NULL, &proc_dointvec},
{ NET_IPSEC_TOS, "tos", &sysctl_ipsec_tos,
- sizeof(int), 0644, NULL, &proc_dointvec},
+ sizeof(int), 0644, NULL, NULL, &proc_dointvec},
{0}
};
