----- Forwarded message from bugme-daemon@xxxxxxxx -----
Date: Tue, 4 Nov 2003 08:54:36 -0800
Subject: [Bug 1490] New: _decode_session does not set type or code for ICMP
Summary: _decode_session does not set type or code for ICMP
Kernel Version: 2.6.0-test9
Distribution: Redhat 9
Hardware Environment: x86
Software Environment: ipsec-tools-0.2.2
The _decode_session functions do not set the type and code for ICMP and
ICMPv6. These values need to be set so that policies can be matched based on
these fields, since setkey allows for specifying policies based on the type and
Furthermore, __xfrm_selector_match do not correctly handle ICMP and ICMPv6.
The type should be compared against the xfrm_selector's sport field, and the
code should be compared against the dport field. The type and code are both 8
bit fields, whereas __xfrm_selector_match is comparing 16 bit values.
Steps to reproduce:
Insert a policy into the SPD using setkey that requires IPsec protection. For
example, require inbound router advertisements to be protected with ESP with the
spdadd ::/0 ::/0 icmp6 134,0 -P in ipsec esp/transport//require;
Then send a router advertisement to the system under test. The packet will not
be dropped, and the system will generate an IPv6 address.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
----- End forwarded message -----