Thread: [Ipsec-tools-devel] Is there a bug about xfrm_lookup in xfrm_ policy.c?
Brought to you by:
mit_warlord,
netbsd
From: <liu...@12...> - 2007-05-23 09:07:08
|
Is there a bug about xfrm_lookup in xfrm_policy.c? =20 int xfrm_lookup(struct dst_entry **dst_p, struct flowi *fl, struct sock *sk, int flags) { .... =20 struct dst_entry *dst, *dst_orig =3D *dst_p; /* note */ .... =20 /* if policy is "spdadd 10.0.11.0/24[any] 10.0.11.33/32[any] any -P out = none", should it reach here? I think so*/ switch (policy->action) { case XFRM_POLICY_BLOCK: /* Prohibit the flow */ err =3D -EPERM; goto error; case XFRM_POLICY_ALLOW: ..... } =20 /* note: if policy is none , the packet should be sent out. but, now in = this case dst =3D ? */ *dst_p =3D dst;=20 dst_release(dst_orig); xfrm_pols_put(pols, npols); return 0; =20 =2E... =20 } I think there is a bug about none policy, isn't there? =20 =20 =D2=BB=C6=F0=C0=B4=A3=AC150=CD=F2=C8=CB=CD=AC=CA=B1=D4=DA=CD=E6=B5=C4=C3=CE= =BB=C3=CE=F7=D3=CE =20 |
From: VANHULLEBUS Y. <va...@fr...> - 2007-05-23 09:15:45
|
Hi. Looks you are talking about a potential bug in Linux's kernel, so you should try some Linux kernel MLs (well, I guess some people who can answer your mail read this list). ipsec-tools MLs are for ipsec-tools USERLAND programs.... Yvan. On Wed, May 23, 2007 at 05:06:51PM +0800, liu...@12... wrote: > Is there a bug about xfrm_lookup in xfrm_policy.c? > > int xfrm_lookup(struct dst_entry **dst_p, struct flowi *fl, > struct sock *sk, int flags) > { > .... > > struct dst_entry *dst, *dst_orig = *dst_p; /* note */ > .... > > /* if policy is "spdadd 10.0.11.0/24[any] 10.0.11.33/32[any] any -P out none", should it reach here? I think so*/ > switch (policy->action) { > case XFRM_POLICY_BLOCK: > /* Prohibit the flow */ > err = -EPERM; > goto error; > case XFRM_POLICY_ALLOW: > ..... > } > > /* note: if policy is none , the packet should be sent out. but, now in this case dst = ? */ > *dst_p = dst; > dst_release(dst_orig); > xfrm_pols_put(pols, npols); > return 0; > > .... > > } > I think there is a bug about none policy, isn't there? > > > > > > ????????150?????????????????????? > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Ipsec-tools-users mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-users |
From: Joy L. <la...@au...> - 2007-05-23 19:41:19
|
All is working correctly. In linux kernel in net/key/af_key.c, the pfkey_spdadd() function which adds policy passed from userspace via pfkeyv2 marks "none" policy as XFRM_POLICY_ALLOW. xp->action = (pol->sadb_x_policy_type == IPSEC_POLICY_DISCARD ? XFRM_POLICY_BLOCK : XFRM_POLICY_ALLOW); Thus in xfrm_lookup(), switch falls into XFRM_POLICY_ALLOW and "if (policy->xfrm_nr == 0)" will be TRUE and xfrm_lookup() will return. dst_p will contain its original value and packet will go through as is. policy->xfrm_nr will be zero because we won't have any templates for policy in this case. Hope this helps. Also, the best place to post ipsec kernel questions is to ne...@vg.... Regards, Joy On Wed, 2007-05-23 at 11:15 +0200, VANHULLEBUS Yvan wrote: > Hi. > > Looks you are talking about a potential bug in Linux's kernel, so you > should try some Linux kernel MLs (well, I guess some people who can > answer your mail read this list). > > > ipsec-tools MLs are for ipsec-tools USERLAND programs.... > > > Yvan. > > On Wed, May 23, 2007 at 05:06:51PM +0800, liu...@12... wrote: > > Is there a bug about xfrm_lookup in xfrm_policy.c? > > > > int xfrm_lookup(struct dst_entry **dst_p, struct flowi *fl, > > struct sock *sk, int flags) > > { > > .... > > > > struct dst_entry *dst, *dst_orig = *dst_p; /* note */ > > .... > > > > /* if policy is "spdadd 10.0.11.0/24[any] 10.0.11.33/32[any] any -P out none", should it reach here? I think so*/ > > switch (policy->action) { > > case XFRM_POLICY_BLOCK: > > /* Prohibit the flow */ > > err = -EPERM; > > goto error; > > case XFRM_POLICY_ALLOW: > > ..... > > } > > > > /* note: if policy is none , the packet should be sent out. but, now in this case dst = ? */ > > *dst_p = dst; > > dst_release(dst_orig); > > xfrm_pols_put(pols, npols); > > return 0; > > > > .... > > > > } > > I think there is a bug about none policy, isn't there? > > > > > > > > > > > > ????????150?????????????????????? > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > Ipsec-tools-users mailing list > > Ips...@li... > > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-users > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel |