Brian
Mika Penttilä wrote:
struct flowi contains union { struct ports; struct icmpt; ...} and xfrm_selector_match() tests for ports, so it gets icmp (implicitly) ok. But decode_session(), indeed, seems to miss icmp entirely...
--Mika
> Brian Buesker wrote:
One other thing. The setkey command supports specifying the type and code when inserting a security policy for ICMP or ICMPv6. However, it does not appear that __xfrm[46] <http://marc.theaimsgroup.com/?l=linux-net&m=106676843319100&w=2#46>_selector_match nor _decode_session[46] <http://marc.theaimsgroup.com/?l=linux-net&m=106676843319100&w=2#46> handle ICMP or ICMPv6. Shouldn't fl->fl_icmp_type and fl->fl_icmp_code also be set in _decode_session[456] when the header is an ICMP or ICMPv6 packet?
__xfrm[46] <http://marc.theaimsgroup.com/?l=linux-net&m=106676843319100&w=2#46>_selector_match will also need to be modified so that they properly handle ICMP and ICMPv6 types and codes.
Brian Buesker
Mika Penttilä wrote:
Brian Buesker wrote:
In 2.6.0-test8 (and older versions), is there a reason why _decode_session6 does not set fl->proto at all? I tried to find
Because it is a bug :)
another place where it might be getting set, but I did not see any instance of this? The equivalent IPv4 function (_decode_session4) does set fl->proto to iph->protocol at the end of the function? Shouldn't the protocol get set so that inbound packets can be correctly checked against the entries in the SPD?
--Mika
- : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
- : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
- : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
