[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(usagi-users 00842) Re: SPD behaviour in IPSEC

To: usagi-users@xxxxxxxxxxxxxx
Subject: (usagi-users 00842) Re: SPD behaviour in IPSEC
From: latten@xxxxxxxxxxxxxx
Date: Fri, 5 Oct 2001 13:47:00 -0500
Reply-to: usagi-users@xxxxxxxxxxxxxx

Hi,

I previously mentioned a problem with SPD behaviour within IPSEC.
The following code prevents the SPD from associating the same SA more than
once with a policy. 

Thanks,
Joy Latten



--- pfkey_v2_msg_flow.c.orig	Thu Oct  4 14:35:38 2001
+++ pfkey_v2_msg_flow.c	Thu Oct  4 14:56:41 2001
@@ -165,7 +165,22 @@  sadb_msg_addflow_parse()
 
 		} else if (error == -EEXIST) {
 
-			/* It has already been in spd_list, I append sa_index into it's sa_list */
+			struct list_head *pos = NULL;
+			struct sa_index *tmp = NULL;
+
+			/* It has already been in spd_list, check sa_list
+			   to see if SA already exists, if not append sa_index 
+			   into it's sa_list */
+			
+                       list_for_each(pos, &(policy->sa_index_list)) {
+                                tmp = list_entry(pos, struct sa_index, entry);
+                                if (sa_index_compare(&sa_idx, tmp) == 0) {
+                                        /* matching SA found */
+					pr_debug("pfkey_msg_addflow_parse: Policy already exist.");
+                                        error = -EEXIST;
+                                        goto err;
+                                }
+			}
 			pr_debug("pfkey_msg_addflow_parse: policy=%p\n", policy);
 			error = sa_list_append(&(policy->sa_index_list), &sa_idx);
 			if (error) {



Thanks,
Joy Latten


>I had started working on a way to fix this, but then stopped because
>I thought perhaps it was suppose to do this... I will send my patch 
>when completed, if you like.
>
>Thanks,
>Joy 
>
>>Hello,
>>
>>Ummm, it seems to be bug.
>>
>>Thanks.
>>
>>-mk
>>
>>At Thu, 27 Sep 2001 15:41:31 -0500,
>>latten@xxxxxxxxxxxxxx wrote:
>>> 
>>> Hi,
>>> 
>>> I have an IPSEC question. Should I be able to add the same security
>>> association to a Security Policy multiple times?? I was manually
>>> adding my security policies with the pfkey command and accidently
>>> added one twice. When I viewed my SPD I saw that my SA policy had been 
>>> added twice to the SPD. Is this correct and expected behavior?  
>>> Should the SAs within a policy be unique with respect to its 3 fields; 
>>> destination, ipsec protocol, and spi?
>>> 
>>> Joy Latten

Prev by Date: (usagi-users 00841) anyone who got implementation of Tunnelling and Bicasting with IPv6?
Next by Date: (usagi-users 00843) IPSEC: problem add/delete policy from SPD
Previous by thread: (usagi-users 00841) anyone who got implementation of Tunnelling and Bicasting with IPv6?
Next by thread: (usagi-users 00843) IPSEC: problem add/delete policy from SPD
Index(es):
- Date
- Thread