Re: [IPSEC] Verify outer SAs using the correct info

Herbert Xu <herbert@gondor.apana.org.au> · Wed, 2 Jul 2003 19:46:20 +1000

On Tue, Jul 01, 2003 at 10:27:12PM +1000, herbert wrote:
> 
> Is there another use for optional templates apart from IPCOMP templates?
> If there isn't would it be acceptable to implement optional IPCOMP in
> a different way so that we can do exact matches on the policy?

I'd still like to know the answer to this.

In any case, here is the naive solution to the problem of avoid the
reconstruction of flows for SAs.  I've added them to all SAs listed
via __xfrm_state_insert.

Cheers,
-- 
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email:  Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Index: kernel-source-2.5/include/net/xfrm.h
===================================================================
RCS file: /home/gondolin/herbert/src/CVS/debian/kernel-source-2.5/include/net/xfrm.h,v
retrieving revision 1.7
diff -u -r1.7 xfrm.h

--- kernel-source-2.5/include/net/xfrm.h	2 Jul 2003 09:15:50 -0000	1.7
+++ kernel-source-2.5/include/net/xfrm.h	2 Jul 2003 09:32:09 -0000
@@ -16,6 +16,7 @@
 #include <net/route.h>
 #include <net/ipv6.h>
 #include <net/ip6_fib.h>
+#include <net/flow.h>
 
 #define XFRM_ALIGN8(len)	(((len) + 7) & ~7)
 
@@ -94,6 +95,7 @@
 
 	struct xfrm_id		id;
 	struct xfrm_selector	sel;
+	struct flowi		fl;
 
 	/* Key manger bits */
 	struct {
Index: kernel-source-2.5/net/xfrm/xfrm_policy.c
===================================================================
RCS file: /home/gondolin/herbert/src/CVS/debian/kernel-source-2.5/net/xfrm/xfrm_policy.c,v
retrieving revision 1.9
diff -u -r1.9 xfrm_policy.c
--- kernel-source-2.5/net/xfrm/xfrm_policy.c	20 Jun 2003 11:49:08 -0000	1.9
+++ kernel-source-2.5/net/xfrm/xfrm_policy.c	2 Jul 2003 09:41:09 -0000
@@ -867,10 +867,11 @@
 	/* First, check used SA against their selectors. */
 	if (skb->sp) {
 		int i;
+		struct flowi *flp = &fl;
 
 		for (i=skb->sp->len-1; i>=0; i--) {
 		  struct sec_decap_state *xvec = &(skb->sp->x[i]);
-			if (!xfrm_selector_match(&xvec->xvec->sel, &fl, family))
+			if (!xfrm_selector_match(&xvec->xvec->sel, flp, family))
 				return 0;
 
 			/* If there is a post_input processor, try running it */
@@ -879,6 +880,8 @@
 							   &(xvec->decap),
 							   skb) != 0)
 				return 0;
+
+			flp = &xvec->xvec->fl;
 		}
 	}
 
Index: kernel-source-2.5/net/xfrm/xfrm_state.c
===================================================================
RCS file: /home/gondolin/herbert/src/CVS/debian/kernel-source-2.5/net/xfrm/xfrm_state.c,v
retrieving revision 1.3
diff -u -r1.3 xfrm_state.c
--- kernel-source-2.5/net/xfrm/xfrm_state.c	2 Jul 2003 09:15:50 -0000	1.3
+++ kernel-source-2.5/net/xfrm/xfrm_state.c	2 Jul 2003 09:39:57 -0000
@@ -372,8 +372,18 @@
 
 static void __xfrm_state_insert(struct xfrm_state *x)
 {
-	unsigned h = xfrm_dst_hash(&x->id.daddr, x->props.family);
+	unsigned h;
+	xfrm_address_t *addr;
 
+	memset(&x->fl, 0, sizeof(x->fl));
+	x->fl.fl_ipsec_spi = x->id.spi;
+	x->fl.proto = x->id.proto;
+	addr = xfrm_flowi_saddr(&x->fl, x->props.family);
+	memcpy(addr, &x->props.saddr, sizeof(*addr));
+	addr = xfrm_flowi_daddr(&x->fl, x->props.family);
+	memcpy(addr, &x->id.daddr, sizeof(*addr));
+
+	h = xfrm_dst_hash(&x->id.daddr, x->props.family);
 	list_add(&x->bydst, xfrm_state_bydst+h);
 	xfrm_state_hold(x);
 




