Hi David: IPIP still didn't work after my last fix. It turns out that the security path is not cleared for packets inside the tunnel. This breaks when the SA selectors on the outside of the tunnel only allow packets with the same source/destination address. This patch clears the security path for all tunnel packets. Cheers, -- Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ ) Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Index: kernel-source-2.5/net/ipv4/ip_gre.c =================================================================== RCS file: /home/gondolin/herbert/src/CVS/debian/kernel-source-2.5/net/ipv4/ip_gre.c,v retrieving revision 1.1.1.12 diff -u -r1.1.1.12 ip_gre.c --- kernel-source-2.5/net/ipv4/ip_gre.c 8 Oct 2003 19:24:26 -0000 1.1.1.12 +++ kernel-source-2.5/net/ipv4/ip_gre.c 14 Oct 2003 08:19:11 -0000 @@ -37,6 +37,7 @@ #include <net/arp.h> #include <net/checksum.h> #include <net/inet_ecn.h> +#include <net/xfrm.h> #ifdef CONFIG_IPV6 #include <net/ipv6.h> @@ -600,6 +601,9 @@ read_lock(&ipgre_lock); if ((tunnel = ipgre_tunnel_lookup(iph->saddr, iph->daddr, key)) != NULL) { + secpath_put(skb->sp); + skb->sp = NULL; + skb->mac.raw = skb->nh.raw; skb->nh.raw = __pskb_pull(skb, offset); memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options)); Index: kernel-source-2.5/net/ipv4/ipip.c =================================================================== RCS file: /home/gondolin/herbert/src/CVS/debian/kernel-source-2.5/net/ipv4/ipip.c,v retrieving revision 1.4 diff -u -r1.4 ipip.c --- kernel-source-2.5/net/ipv4/ipip.c 13 Oct 2003 12:35:29 -0000 1.4 +++ kernel-source-2.5/net/ipv4/ipip.c 13 Oct 2003 21:58:32 -0000 @@ -483,6 +483,9 @@ return 0; } + secpath_put(skb->sp); + skb->sp = NULL; + skb->mac.raw = skb->nh.raw; skb->nh.raw = skb->data; memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options)); Index: kernel-source-2.5/net/ipv6/ip6_tunnel.c =================================================================== RCS file: /home/gondolin/herbert/src/CVS/debian/kernel-source-2.5/net/ipv6/ip6_tunnel.c,v retrieving revision 1.1.1.5 diff -u -r1.1.1.5 ip6_tunnel.c --- kernel-source-2.5/net/ipv6/ip6_tunnel.c 27 Sep 2003 00:02:03 -0000 1.1.1.5 +++ kernel-source-2.5/net/ipv6/ip6_tunnel.c 14 Oct 2003 08:19:26 -0000 @@ -47,6 +47,7 @@ #include <net/ip6_route.h> #include <net/addrconf.h> #include <net/ip6_tunnel.h> +#include <net/xfrm.h> MODULE_AUTHOR("Ville Nuorvala"); MODULE_DESCRIPTION("IPv6-in-IPv6 tunnel"); @@ -514,6 +515,8 @@ read_unlock(&ip6ip6_lock); goto discard; } + secpath_put(skb->sp); + skb->sp = NULL; skb->mac.raw = skb->nh.raw; skb->nh.raw = skb->data; skb->protocol = htons(ETH_P_IPV6); Index: kernel-source-2.5/net/ipv6/sit.c =================================================================== RCS file: /home/gondolin/herbert/src/CVS/debian/kernel-source-2.5/net/ipv6/sit.c,v retrieving revision 1.1.1.11 diff -u -r1.1.1.11 sit.c --- kernel-source-2.5/net/ipv6/sit.c 8 Oct 2003 19:24:46 -0000 1.1.1.11 +++ kernel-source-2.5/net/ipv6/sit.c 14 Oct 2003 08:19:31 -0000 @@ -49,6 +49,7 @@ #include <net/icmp.h> #include <net/ipip.h> #include <net/inet_ecn.h> +#include <net/xfrm.h> /* This version of net/ipv6/sit.c is cloned of net/ipv4/ip_gre.c @@ -376,6 +377,8 @@ read_lock(&ipip6_lock); if ((tunnel = ipip6_tunnel_lookup(iph->saddr, iph->daddr)) != NULL) { + secpath_put(skb->sp); + skb->sp = NULL; skb->mac.raw = skb->nh.raw; skb->nh.raw = skb->data; memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));