Re: [RFC, PATCH 4/5]: netfilter+ipsec

To:	Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Subject:	Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup
From:	Patrick McHardy <kaber@xxxxxxxxx>
Date:	Fri, 19 Mar 2004 17:34:58 +0100
Cc:	"David S. Miller" <davem@xxxxxxxxxx>, netdev@xxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<20040319115130.GE29066@gondor.apana.org.au>
References:	<20040308110331.GA20719@gondor.apana.org.au> <404C874D.4000907@trash.net> <20040308115858.75cdddca.davem@redhat.com> <4059CF17.8090907@trash.net> <20040319115130.GE29066@gondor.apana.org.au>
Sender:	netdev-bounce@xxxxxxxxxxx
User-agent:	Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040122 Debian/1.6-1

To:

Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>

Subject:

Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup

From:

Patrick McHardy <kaber@xxxxxxxxx>

Date:

Fri, 19 Mar 2004 17:34:58 +0100

Cc:

"David S. Miller" <davem@xxxxxxxxxx>, netdev@xxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxxxxxx

In-reply-to:

<20040319115130.GE29066@gondor.apana.org.au>

References:

<20040308110331.GA20719@gondor.apana.org.au> <404C874D.4000907@trash.net> <20040308115858.75cdddca.davem@redhat.com> <4059CF17.8090907@trash.net> <20040319115130.GE29066@gondor.apana.org.au>

Sender:

netdev-bounce@xxxxxxxxxxx

User-agent:

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040122 Debian/1.6-1

Herbert Xu wrote:

On Thu, Mar 18, 2004 at 05:32:23PM +0100, Patrick McHardy wrote:

@@ -635,7 +636,6 @@
#ifdef CONFIG_IP_ROUTE_FWMARK
                fl.nl_u.ip4_u.fwmark = (*pskb)->nfmark;
#endif
-               fl.proto = iph->protocol;

Better call __ip_route_output_key rather than not setting proto because
you'll need proto in xfrm_lookup.

                if (ip_route_output_key(&rt, &fl) != 0)
                        return -1;

@@ -661,6 +661,20 @@
        
        if ((*pskb)->dst->error)
                return -1;
+
+#ifdef CONFIG_XFRM
+       if (!(IPCB(*pskb)->flags & IPSKB_XFRM_TRANSFORMED)) {
+               struct xfrm_policy_afinfo *afinfo;
+
+               afinfo = xfrm_policy_get_afinfo(AF_INET);
+               if (afinfo != NULL) {
+                       afinfo->decode_session(*pskb, &fl);
+                       xfrm_policy_put_afinfo(afinfo);
+                       if (xfrm_lookup(&(*pskb)->dst, &fl, (*pskb)->sk, 0) != 
0)
+                               return -1;
+               }
+       }
+#endif

If we can reinject transport packets then we can move this back into
the if clause.


I don't understand the relationship to transport mode packets. I used an
explicit call to xfrm_lookup so packets with non-local source are also
handled. We also need to protect against loops, packets which are
already transformed should not be transformed again.

Regards
Patrick

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [RFC, PATCH 3/5]: netfilter+ipsec - input hooks, (continued) Re: [RFC, PATCH 3/5]: netfilter+ipsec - input hooks, Herbert Xu Re: [RFC, PATCH 3/5]: netfilter+ipsec - input hooks, Patrick McHardy Re: [RFC, PATCH 3/5]: netfilter+ipsec - input hooks, Herbert Xu Re: [RFC, PATCH 3/5]: netfilter+ipsec - input hooks, Herbert Xu Re: [RFC, PATCH 3/5]: netfilter+ipsec - input hooks, Herbert Xu Re: [RFC, PATCH 3/5]: netfilter+ipsec - input hooks, Patrick McHardy [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Patrick McHardy Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, David S. Miller Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Patrick McHardy Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Herbert Xu Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Patrick McHardy <= Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Herbert Xu Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Patrick McHardy Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Herbert Xu Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Herbert Xu Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Patrick McHardy Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Herbert Xu Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Patrick McHardy Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Alexander Samad Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Patrick McHardy Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Alexander Samad

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	Re: [RFC, PATCH 3/5]: netfilter+ipsec - input hooks, Patrick McHardy
Next by Date:	PROBLEM: e100 fails under heavy load after ACPI suspend, Jody McIntyre
Previous by Thread:	Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Herbert Xu
Next by Thread:	Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Herbert Xu
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

Re: [RFC, PATCH 3/5]: netfilter+ipsec - input hooks, Patrick McHardy

Next by Date:

PROBLEM: e100 fails under heavy load after ACPI suspend, Jody McIntyre

Previous by Thread:

Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Herbert Xu

Next by Thread:

Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Herbert Xu

Indexes:

[Date] [Thread] [Top] [All Lists]