Herbert Xu wrote: > Marco Berizzi <[EMAIL PROTECTED]> wrote: > > Yesterday I have updated to linux 2.6.19.2 > > (from 2.6.19.1) and passthrough openswan > > connection aren't working anymore. > > This is the 'ip -s x s' output: > > I presume you mean ip -s x p :)
yes indeed ;-) > Nasty. This means that the policy list is no longer sorted by priority. > Can you please try this patch and let me know if it fixes the problem? Yes, the patch below fixes the problem. I have applied to 2.6.19.2: [EMAIL PROTECTED]:/usr/src/linux-2.6.19.2# patch -p1 < ../herbert patching file net/xfrm/xfrm_policy.c Hunk #1 succeeded at 615 (offset -35 lines). Thanks a lot for the feedback. > [IPSEC]: Policy list disorder > > The recent hashing introduced an off-by-one bug in policy list insertion. > Instead of adding after the last entry with a lesser or equal priority, > we're adding after the successor of that entry. > > This patch fixes this and also adds a warning if we detect a duplicate > entry in the policy list. This should never happen due to this if clause. > > Signed-off-by: Herbert Xu <[EMAIL PROTECTED]> > > Thanks, > -- > Visit Openswan at http://www.openswan.org/ > Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]> > Home Page: http://gondor.apana.org.au/~herbert/ > PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt > -- > diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c > index bebd40e..b7e537f 100644 > --- a/net/xfrm/xfrm_policy.c > +++ b/net/xfrm/xfrm_policy.c > @@ -650,19 +650,18 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl) > struct xfrm_policy *pol; > struct xfrm_policy *delpol; > struct hlist_head *chain; > - struct hlist_node *entry, *newpos, *last; > + struct hlist_node *entry, *newpos; > struct dst_entry *gc_list; > > write_lock_bh(&xfrm_policy_lock); > chain = policy_hash_bysel(&policy->selector, policy->family, dir); > delpol = NULL; > newpos = NULL; > - last = NULL; > hlist_for_each_entry(pol, entry, chain, bydst) { > - if (!delpol && > - pol->type == policy->type && > + if (pol->type == policy->type && > !selector_cmp(&pol->selector, &policy->selector) && > - xfrm_sec_ctx_match(pol->security, policy->security)) { > + xfrm_sec_ctx_match(pol->security, policy->security) && > + !WARN_ON(delpol)) { > if (excl) { > write_unlock_bh(&xfrm_policy_lock); > return -EEXIST; > @@ -671,17 +670,12 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl) > if (policy->priority > pol->priority) > continue; > } else if (policy->priority >= pol->priority) { > - last = &pol->bydst; > + newpos = &pol->bydst; > continue; > } > - if (!newpos) > - newpos = &pol->bydst; > if (delpol) > break; > - last = &pol->bydst; > } > - if (!newpos) > - newpos = last; > if (newpos) > hlist_add_after(newpos, &policy->bydst); > else > - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
