hi,
here are a few comments I have on xfrm:
1. when a SPD entry is added (see "pfkey_spdadd"), xp->selector.family isn't set accordingly. therefore when making a netlink XFRM_MSG_DELPOLICY or XFRM_MSG_GETPOLICY call this information is completely missing because (unlike "xfrm_policy") "xfrm_userpolicy_info" has no "family" member. as a result the selector sent to the kernel must have "family" set to 0, otherwise the match will fail.
the mega patch that fixes this would look like:
--- net/key/af_key.c.orig 2004-03-23 15:39:14.000000000 +0100
+++ net/key/af_key.c 2004-03-23 18:56:43.000000000 +0100
@@ -1863,6 +1863,7 @@
err = -EINVAL;
goto out;
}
+ xp->selector.family = xp->family;
xp->selector.prefixlen_s = sa->sadb_address_prefixlen;
xp->selector.proto = pfkey_proto_to_xfrm(sa->sadb_address_proto);
xp->selector.sport = ((struct sockaddr_in *)(sa+1))->sin_port;2. "xfrm_policy_bysel" compares selectors using memcmp. however, if a policy rule from say 10.0.0.0/8 to 20.0.0.0/8 (protocol, etc.) has been established, I guess traffic from 10.1.1.1/32 to 20.2.2.2/32 (same protocol, etc.) must match it. I believe some functions similar to __xfrm4_selector_match/__xfrm6_selector_match would be required here.
regards, John.
- : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
