[Swan-dev] text_said() calls in create_xfrm_migrate_sa() puzzle me

Sat, 19 Jun 2021 12:35:12 -0700 

I don't understand this code but I'm "improving" it, based on symmetry.
I've hit a snag.  Advice welcome!

There are four calls to text_said.  Here's what they look like, with
details removed:

        if (endpoint_is_specified(st->st_mobike_local_endpoint)) {
                if (dir == XFRM_POLICY_IN || dir == XFRM_POLICY_FWD) {
                        src = &c->spd.that.host_addr;
                        dst = &c->spd.this.host_addr;
                        set_text_said(n, dst, sa.spi, proto);
                } else {
                        src = &c->spd.this.host_addr;
                        dst = &c->spd.that.host_addr;
                        set_text_said(n, src, sa.spi, proto);
                }
        } else {
                if (dir == XFRM_POLICY_IN || dir == XFRM_POLICY_FWD) {
                        src = &c->spd.that.host_addr;
                        dst = &c->spd.this.host_addr;
                        set_text_said(n, src, sa.spi, proto);
                } else {
                        src = &c->spd.this.host_addr;
                        dst = &c->spd.that.host_addr;
                        set_text_said(n, dst, sa.spi, proto);
                        }
                }
        }

I'm a little surprised and puzzled that the second args to
set_text_said calls go
        dst
        src
        src
        dst
My intuition says that these should each be "dst".

Even if that's not correct, it feels as if the either the first pair
or the second pair is reversed.

Note: the text_said only appears in logging so being wrong has no
serious consequences.

Observations:

If !(dir == XFRM_POLICY_IN || dir == XFRM_POLICY_FWD)
then dir == XFRM_POLICY_OUT.

Kernel IPSec SA's are unidirectional.
The SAID includes the destination address of packets carried by the SA.
I think that in each case, the destination address is "dst".

There are currently three calls to this function, all within one 
statement of the function netlink_migrate_sa:
        return
                create_xfrm_migrate_sa(st, XFRM_POLICY_OUT, &sa, mig_said) &&
                migrate_xfrm_sa(&sa, st->st_logger) &&

                create_xfrm_migrate_sa(st, XFRM_POLICY_IN, &sa, mig_said) &&
                migrate_xfrm_sa(&sa, st->st_logger) &&

                create_xfrm_migrate_sa(st, XFRM_POLICY_FWD, &sa, mig_said) &&
                migrate_xfrm_sa(&sa, st->st_logger);


dir is the second argument of create_xfrm_migrate_sa.  Clearly it can
only have one of three values: XFRM_POLICY_OUT, XFRM_POLICY_IN,
XFRM_POLICY_FWD.  So the test of dir could be simplified to
        dir != XFRM_POLICY_OUT

Each IPSec SA is unidirectional.  That's why they come in pairs, one
for each direction.

The SAID is a triple: destination IP, SPI, protocol (eg. AH or ESP).

The test dir == XFRM_POLICY_IN || dir == XFRM_POLICY_FWD must be
telling us whether we're dealing with an inbound SA.  If it's true, it
must be inbound.
_______________________________________________
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev

Reply via email to