Re: [PATCH net] vti: fix spd lookup: match plaintext pkt, not ipsec pkt

public inbox for netdev@vger.kernel.org 
 help / color / mirror / Atom feed

From: Sergei Shtylyov <sergei.shtylyov@cogentembedded•com>
To: Christophe Gouault <christophe.gouault@6wind•com>,
	Steffen Klassert <steffen.klassert@secunet•com>,
	"David S. Miller" <davem@davemloft•net>
Cc: Herbert Xu <herbert@gondor•apana.org.au>,
	Saurabh Mohan <saurabh.mohan@vyatta•com>,
	netdev@vger•kernel.org
Subject: Re: [PATCH net] vti: fix spd lookup: match plaintext pkt, not ipsec pkt
Date: Tue, 05 Nov 2013 17:05:48 +0400	[thread overview]
Message-ID: <5278ED2C.8070604@cogentembedded.com> (raw)
In-Reply-To: <1383646612-30103-1-git-send-email-christophe.gouault@6wind.com>

Hello.

On 05-11-2013 14:16, Christophe Gouault wrote:

> The vti interface inbound and outbound SPD lookups are based on the
> ipsec packet instead of the plaintext packet.

> Not only is it counterintuitive, it also restricts vti interfaces
> to a single policy (whose selector must match the tunnel local and
> remote addresses).

> The policy selector is supposed to match the plaintext packet, before
> encryption or after decryption.

> This patch performs the SPD lookup based on the plaintext packet. It
> enables to create several polices bound to the vti interface (via a
> mark equal to the vti interface okey).

> It remains possible to apply the same policy to all packets entering
> the vti interface, by setting an any-to-any selector (src 0.0.0.0/0
> dst 0.0.0.0/0 proto any mark OKEY).

> Signed-off-by: Christophe Gouault <christophe.gouault@6wind•com>
> ---
>   net/ipv4/ip_vti.c |   28 +++++++++++++++++++++++++++-
>   1 file changed, 27 insertions(+), 1 deletion(-)

> diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
> index 6e87f85..a7e03c0 100644
> --- a/net/ipv4/ip_vti.c
> +++ b/net/ipv4/ip_vti.c
[...]
> @@ -133,7 +134,12 @@ static int vti_rcv(struct sk_buff *skb)
>   		 * only match policies with this mark.
>   		 */
>   		skb->mark = be32_to_cpu(tunnel->parms.o_key);
> +		/* the packet is decrypted, but not yet decapsulated.
> +		 * Temporarily make network_header point to the inner header
> +		 * for policy check */

    Multi-line comment style in the networking code is:

/* bla
  * bla
  */

[...]
> @@ -173,17 +181,35 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
>
>   	tos = old_iph->tos;
>
> +	/* SPD lookup: we must provide a dst_entry to xfrm_lookup, normally the
> +	 * route to the final destination. However this route is a route via
> +	 * the vti interface. Now vti interfaces typically have the NOXFRM
> +	 * flag, hence xfrm_lookup would bypass IPsec.
> +	 *
> +	 * Therefore, we feed xfrm_lookup with a route to the vti tunnel remote
> +	 * endpoint instead.
> +	 */

    Hm, you got it right the second and third time.

WBR, Sergei

next prev parent reply	other threads:[~2013-11-05 13:05 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-11-05 10:16 [PATCH net] vti: fix spd lookup: match plaintext pkt, not ipsec pkt Christophe Gouault
2013-11-05 13:05 ` Sergei Shtylyov [this message]
2013-11-05 14:31   ` Christophe Gouault
2013-11-05 15:58 ` [PATCH net v2] " Christophe Gouault
2013-11-05 17:01   ` Eric Dumazet
2013-11-05 17:24     ` Christophe Gouault
2013-11-06  8:05 ` [PATCH net v3] " Christophe Gouault
2013-11-07 11:25   ` Steffen Klassert
2013-11-07 12:55     ` Christophe Gouault
2013-11-08 11:01       ` Steffen Klassert
2013-11-08 17:45         ` David Miller
2013-11-18 21:38       ` Saurabh Mohan
2013-11-19  0:01         ` Andrew Collins
2013-11-19  9:16         ` Fan Du
2013-11-21 12:17           ` Steffen Klassert
2013-11-21 18:39           ` Saurabh Mohan
2013-11-24 10:21             ` Fan Du
2013-11-21 10:07         ` Christophe Gouault
2013-11-21 11:45           ` Steffen Klassert
2013-11-07 23:17     ` David Miller
2013-11-08 12:55       ` Christophe Gouault
2013-11-21 12:12   ` Steffen Klassert
2013-11-21 18:35     ` Saurabh Mohan
2013-11-22 14:33     ` Christophe Gouault
2013-12-03  7:55       ` Steffen Klassert
2013-12-03  9:01         ` Christophe Gouault
2013-12-03  9:39           ` Steffen Klassert

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5278ED2C.8070604@cogentembedded.com \
    --to=sergei.shtylyov@cogentembedded$(echo .)com \
    --cc=christophe.gouault@6wind$(echo .)com \
    --cc=davem@davemloft$(echo .)net \
    --cc=herbert@gondor$(echo .)apana.org.au \
    --cc=netdev@vger$(echo .)kernel.org \
    --cc=saurabh.mohan@vyatta$(echo .)com \
    --cc=steffen.klassert@secunet$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox