Re: [Ipsec-tools-devel] Re: [PATCH]: Re: SA switchover

Mon, 19 Dec 2005 21:27:59 -0800 


On Mon, 19 Dec 2005, David S. Miller wrote:


From: Krzysztof Oledzki <[EMAIL PROTECTED]>
Date: Mon, 19 Dec 2005 10:37:14 +0100 (CET)


OK. With this patch kernel switches to new SA immediately, but only for
ping. TCP (ssh) session between Cisco and Linux is still protected by the
old SA.


Ok, we're making progress :-)

When the bundles get flushed, xfrm_prune_bundles() accumulates all
the per-policy bundles into a list and runs dst_free() on each
and every one.

Unless marked obsolete already (these dst's should not be marked
obsolete), it invokes __dst_free() which marks the dst as obsolete
and this in turn should trigger the cached socket route check here
in __sk_dst_check().

static inline struct dst_entry *
__sk_dst_check(struct sock *sk, u32 cookie)
{
        struct dst_entry *dst = sk->sk_dst_cache;

        if (dst && dst->obsolete && dst->ops->check(dst, cookie) == NULL) {
                sk->sk_dst_cache = NULL;
                dst_release(dst);
                return NULL;
        }

        return dst;
}

Oh, that's the bug, dst->ops->check() is xfrm_dst_check().  That tests
validity using "stable_bundle()" which thinks the dst is still
valid.  Please add these two lines:

        if (dst->obsolete)
                return NULL;

at the beginning of xfrm_dst_check() and all should be fine.


Yes, it works now perfectly:

06:19:09.363154 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x03456676,seq=0x145)
06:19:09.363548 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0x4fd702b2,seq=0x166)
06:19:09.736632 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0x4fd702b2,seq=0x167)
06:19:09.741256 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x03456676,seq=0x146)

Dec 20 06:19:10 chochlik racoon: INFO: IPsec-SA established: ESP/Tunnel 
192.168.0.24[0]->192.168.0.7[0] spi=72688259(0x4552283)
Dec 20 06:19:10 chochlik racoon: INFO: IPsec-SA established: ESP/Tunnel 
192.168.0.7[0]->192.168.0.24[0] spi=671780776(0x280a8fa8)

06:19:10.382903 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x04552283,seq=0x1)
06:19:10.383364 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0x280a8fa8,seq=0x1)
06:19:10.737511 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0x280a8fa8,seq=0x2)
06:19:10.742083 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x04552283,seq=0x2)


Dziekuje bardzo for all of your testing so far Krzysztof.


Dziekuje bardzo ;)

Best regards,

                                Krzysztof Olędzki





















					Reply via email to