Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/netipsec fix lookup of SAs for outgoing packets in the !...
details: https://anonhg.NetBSD.org/src/rev/1ff22d929046
branches: trunk
changeset: 765051:1ff22d929046
user: drochner <drochner%NetBSD.org@localhost>
date: Tue May 17 18:43:02 2011 +0000
description:
fix lookup of SAs for outgoing packets in the !prefered_oldsa case,
as done in KAME and FAST_IPSEC after NetBSD imported the code
(The default differs: KAME uses the oldest valid SA while FAST_IPSEC
in NetBSD uses the newest one. I'm not changing this -- there is a lack
of specification and behavior can be changed with the "oldsa" sysctl.)
For incoming packets it shouldn't matter but I made it look similar
just to avoid unnecessary differences.
diffstat:
sys/netipsec/key.c | 41 +++++++++++++++++++++++++++++++++--------
1 files changed, 33 insertions(+), 8 deletions(-)
diffs (99 lines):
diff -r dfeedc4ab832 -r 1ff22d929046 sys/netipsec/key.c
--- a/sys/netipsec/key.c Tue May 17 17:42:46 2011 +0000
+++ b/sys/netipsec/key.c Tue May 17 18:43:02 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: key.c,v 1.66 2011/02/21 22:28:18 drochner Exp $ */
+/* $NetBSD: key.c,v 1.67 2011/05/17 18:43:02 drochner Exp $ */
/* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.66 2011/02/21 22:28:18 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.67 2011/05/17 18:43:02 drochner Exp $");
/*
* This code is referd to RFC 2367
@@ -152,13 +152,17 @@
static LIST_HEAD(_spacqtree, secspacq) spacqtree; /* SP acquiring list */
/* search order for SAs */
-static const u_int saorder_state_valid[] = {
- SADB_SASTATE_DYING, SADB_SASTATE_MATURE,
/*
* This order is important because we must select the oldest SA
* for outbound processing. For inbound, This is not important.
*/
+static const u_int saorder_state_valid_prefer_old[] = {
+ SADB_SASTATE_DYING, SADB_SASTATE_MATURE,
};
+static const u_int saorder_state_valid_prefer_new[] = {
+ SADB_SASTATE_MATURE, SADB_SASTATE_DYING,
+};
+
static const u_int saorder_state_alive[] = {
/* except DEAD */
SADB_SASTATE_MATURE, SADB_SASTATE_DYING, SADB_SASTATE_LARVAL
@@ -885,6 +889,8 @@
struct secashead *sah;
struct secasvar *sav;
u_int stateidx, state;
+ const u_int *saorder_state_valid;
+ int arraysize;
LIST_FOREACH(sah, &sahtree, chain) {
if (sah->state == SADB_SASTATE_DEAD)
@@ -897,9 +903,21 @@
found:
+ /*
+ * search a valid state list for outbound packet.
+ * This search order is important.
+ */
+ if (key_prefered_oldsa) {
+ saorder_state_valid = saorder_state_valid_prefer_old;
+ arraysize = _ARRAYLEN(saorder_state_valid_prefer_old);
+ } else {
+ saorder_state_valid = saorder_state_valid_prefer_new;
+ arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
+ }
+
/* search valid state */
for (stateidx = 0;
- stateidx < _ARRAYLEN(saorder_state_valid);
+ stateidx < arraysize;
stateidx++) {
state = saorder_state_valid[stateidx];
@@ -1075,6 +1093,8 @@
struct secashead *sah;
struct secasvar *sav;
u_int stateidx, state;
+ const u_int *saorder_state_valid;
+ int arraysize;
int s;
int chkport = 0;
@@ -1119,11 +1139,16 @@
* encrypted so we can't check internal IP header.
*/
s = splsoftnet(); /*called from softclock()*/
+ if (key_prefered_oldsa) {
+ saorder_state_valid = saorder_state_valid_prefer_old;
+ arraysize = _ARRAYLEN(saorder_state_valid_prefer_old);
+ } else {
+ saorder_state_valid = saorder_state_valid_prefer_new;
+ arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
+ }
LIST_FOREACH(sah, &sahtree, chain) {
/* search valid state */
- for (stateidx = 0;
- stateidx < _ARRAYLEN(saorder_state_valid);
- stateidx++) {
+ for (stateidx = 0; stateidx < arraysize; stateidx++) {
state = saorder_state_valid[stateidx];
LIST_FOREACH(sav, &sah->savtree[state], chain) {
/* sanity check */
Home |
Main Index |
Thread Index |
Old Index