netdev
[Top] [All Lists]

Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup

To: Patrick McHardy <kaber@xxxxxxxxx>
Subject: Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup
From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Date: Sat, 20 Mar 2004 08:05:25 +1100
Cc: "David S. Miller" <davem@xxxxxxxxxx>, netdev@xxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxxxxxx
In-reply-to: <405B2132.6060403@xxxxxxxxx>
References: <20040308110331.GA20719@xxxxxxxxxxxxxxxxxxx> <404C874D.4000907@xxxxxxxxx> <20040308115858.75cdddca.davem@xxxxxxxxxx> <4059CF17.8090907@xxxxxxxxx> <20040319115130.GE29066@xxxxxxxxxxxxxxxxxxx> <405B2132.6060403@xxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mutt/1.5.5.1+cvs20040105i
On Fri, Mar 19, 2004 at 05:34:58PM +0100, Patrick McHardy wrote:
> Herbert Xu wrote:
> >On Thu, Mar 18, 2004 at 05:32:23PM +0100, Patrick McHardy wrote:
> >
> >>@@ -635,7 +636,6 @@
> >>#ifdef CONFIG_IP_ROUTE_FWMARK
> >>            fl.nl_u.ip4_u.fwmark = (*pskb)->nfmark;
> >>#endif
> >>-           fl.proto = iph->protocol;
> >
> >
> >Better call __ip_route_output_key rather than not setting proto because
> >you'll need proto in xfrm_lookup.

Right, you're calling decode_session below which is much better.

> >>@@ -661,6 +661,20 @@
> >>    
> >>    if ((*pskb)->dst->error)
> >>            return -1;
> >>+
> >>+#ifdef CONFIG_XFRM
> >>+   if (!(IPCB(*pskb)->flags & IPSKB_XFRM_TRANSFORMED)) {
> >>+           struct xfrm_policy_afinfo *afinfo;
> >>+
> >>+           afinfo = xfrm_policy_get_afinfo(AF_INET);
> >>+           if (afinfo != NULL) {
> >>+                   afinfo->decode_session(*pskb, &fl);
> >>+                   xfrm_policy_put_afinfo(afinfo);
> >>+                   if (xfrm_lookup(&(*pskb)->dst, &fl, (*pskb)->sk, 0) 
> >>!= 0)
> >>+                           return -1;
> >>+           }
> >>+   }
> >>+#endif
> >
> >
> >If we can reinject transport packets then we can move this back into
> >the if clause.
> 
> I don't understand the relationship to transport mode packets. I used an

Actually it was me who was confused.  ip_route_me_harder can be called
on both incoming/outgoing packets.  That's what the if clause is trying
to determine.  You should only call xfrm_lookup on the outgoing path.

So this should be moved back to the if clause above:

                fl.proto = iph->protocol;
                lookup = __ip_route_output_key;
#ifdef CONFIG_XFRM
                if (!(IPCB(*pskb)->flags & IPSKB_XFRM_TRANSFORMED)) {
                        lookup = ip_route_output_key;
                        do_decode
                }
#endif
                if (lookup(&rt, &fl) != 0)
                        return -1;
-- 
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email:  Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

<Prev in Thread] Current Thread [Next in Thread>