[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(usagi-users 02383) IPsec pfkey command and input transaction
- To: usagi-users@xxxxxxxxxxxxxx
- Subject: (usagi-users 02383) IPsec pfkey command and input transaction
- From: Kazutaka Tachibana <Kazutaka.Tachibana@xxxxxxxxxxx>
- Date: Thu, 22 May 2003 14:01:34 +0900
- Cc: Kazutaka.Tachibana@xxxxxxxxxxx
- Reply-to: usagi-users@xxxxxxxxxxxxxx
Hi.
I want to append "Security Policy" by manual, so I use "pfkey" command like
following.
pfkey -A sp -T esp -S 0x1234 -s fec0::1 -d fec0::2 --sport 9999 --dport 80
and, next, I changed "port"parameter.
pfkey -A sp -T esp -S 0x1234 -s fec0::1 -d fec0::2 --sport 8888 --dport 80
and, next
pfkey -L
-----------------------------------------------------------------------
SADB:
SPD:
spd:c5dce800
fec0:0000:0000:0000:0000:0000:0000:0001/128 0
fec0:0000:0000:0000:0000:0000:0000:0002/128 0 0 0 0
sa(esp):00000000 fec0:0000:0000:0000:0000:0000:0000:0002/128 3 0x1234
-----------------------------------------------------------------------
The result of "pfkey -L"command is like above.
I wondered Why is there only one "SPD".
so, I checked "pfkey.c"file.
+++ from line:162 to 188
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
switch (query.msgtype) {
case SADB_ADD:
case SADB_DELETE:
case SADB_X_DELFLOW:
if (((struct sockaddr*)&(query.address_s))->sa_family !=
((struct sockaddr*)&(query.address_s))->sa_family) {
fprintf(stderr, "address family of source and destination are deffrent\n");
exit(EXIT_FAILURE);
}
switch (((struct sockaddr*)&(query.address_s))->sa_family) {
case AF_INET:
((struct
sockaddr_in*)&(query.address_s))->sin_port = htons((uint16_t) query.port_s);
((struct
sockaddr_in*)&(query.address_d))->sin_port = htons((uint16_t) query.port_d);
break;
case AF_INET6:
((struct
sockaddr_in6*)&(query.address_s))->sin6_port = htons((uint16_t) query.port_s);
((struct
sockaddr_in6*)&(query.address_d))->sin6_port = htons((uint16_t) query.port_d);
break;
default:
fprintf(stderr, "address family is unknown\n");
exit(EXIT_FAILURE);
}
break;
default:
break;
}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I think when we execute "pfkey -A sp"command, query.msgtype is SADB_X_ADDFLOW.
but, in the case of adding port information, this code doesn't execute
following.
case AF_INET6:
((struct sockaddr_in6*)&(query.address_s))->sin6_port =
htons((uint16_t) query.port_s);
((struct sockaddr_in6*)&(query.address_d))->sin6_port =
htons((uint16_t) query.port_d);
break;
then, I added "case SADB_X_ADDFLOW" like following.
as the result, I could append two Security Policy.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
switch (query.msgtype) {
case SADB_ADD:
case SADB_DELETE:
case SADB_X_DELFLOW:
case SADB_X_ADDFLOW // I added this case
if (((struct sockaddr*)&(query.address_s))->sa_family !=
((struct sockaddr*)&(query.address_s))->sa_family) {
fprintf(stderr, "address family of source and destination are deffrent\n");
・
・
・
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
BUT!!
In "ipsec6_input.c", usagi's code doesn't substitute port information for
selector structure.
so, ipsec packet is discarded!
"dmesg" command displayed like this.
ip6_input: (ipsec) dropping packet
This error message is displayed by following code in "ip6_input.c"
+++from line:204 to 208 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
IPSEC6_DEBUG("called\n");
if (ipsec6_input_check(&skb, &nexthdr)) {
if (net_ratelimit())
printk(KERN_DEBUG "ip6_input: (ipsec) dropping packet\n");
goto discard;
}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Why isn't port information included in selector?
RFC 2401 describes port information is included in selector.
This code is baseed on USAGI's policy? or code bugs?
Please tell me why?
=======================================================
ソニーLSIデザイン(株) 札幌支社 2課
立花一峰(Kazutaka Tachibana)
〒060-0042
北海道札幌市中央区大通西9丁目1-18 ソニー札幌ビル 4F
E-mail :Kazutaka.Tachibana@xxxxxxxxxxx
TEL :9-259-3223 (外線 011-281-3223)
FAX :9-259-3993 (外線 011-281-3993)
=======================================================