Marco Berizzi <[EMAIL PROTECTED]> wrote: > Yesterday I have updated to linux 2.6.19.2 > (from 2.6.19.1) and passthrough openswan > connection aren't working anymore. > This is the 'ip -s x s' output:
I presume you mean ip -s x p :) > src 10.180.0.0/16 dst 172.16.0.0/23 uid 0 > dir in action allow index 208 priority 2384 ptype main share any flag > 0x00000000 > lifetime config: > limit: soft (INF)(bytes), hard (INF)(bytes) > limit: soft (INF)(packets), hard (INF)(packets) > expire add: soft 0(sec), hard 0(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2007-01-16 03:20:30 use 2007-01-16 16:48:47 ... > Apparently the passthrough connection > is correctly displayed by 'ip -s x s', > but packets from 172.16.0.0/23 to > 10.180.0.0/16 are eaten by this ipsec > policy: > > src 10.0.0.0/8 dst 172.16.0.0/23 uid 0 > dir in action allow index 344 priority 2392 ptype main share any flag > 0x00000000 > lifetime config: > limit: soft (INF)(bytes), hard (INF)(bytes) > limit: soft (INF)(packets), hard (INF)(packets) > expire add: soft 0(sec), hard 0(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2007-01-16 03:20:34 use 2007-01-16 16:17:15 > tmpl src milano dst venessia > proto comp spi 0x00000000(0) reqid 16430(0x0000402e) mode tunnel > level use share any > enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff > tmpl src 0.0.0.0 dst 0.0.0.0 > proto esp spi 0x00000000(0) reqid 16429(0x0000402d) mode transport > level required share any > enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff Nasty. This means that the policy list is no longer sorted by priority. Can you please try this patch and let me know if it fixes the problem? [IPSEC]: Policy list disorder The recent hashing introduced an off-by-one bug in policy list insertion. Instead of adding after the last entry with a lesser or equal priority, we're adding after the successor of that entry. This patch fixes this and also adds a warning if we detect a duplicate entry in the policy list. This should never happen due to this if clause. Signed-off-by: Herbert Xu <[EMAIL PROTECTED]> Thanks, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index bebd40e..b7e537f 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -650,19 +650,18 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl) struct xfrm_policy *pol; struct xfrm_policy *delpol; struct hlist_head *chain; - struct hlist_node *entry, *newpos, *last; + struct hlist_node *entry, *newpos; struct dst_entry *gc_list; write_lock_bh(&xfrm_policy_lock); chain = policy_hash_bysel(&policy->selector, policy->family, dir); delpol = NULL; newpos = NULL; - last = NULL; hlist_for_each_entry(pol, entry, chain, bydst) { - if (!delpol && - pol->type == policy->type && + if (pol->type == policy->type && !selector_cmp(&pol->selector, &policy->selector) && - xfrm_sec_ctx_match(pol->security, policy->security)) { + xfrm_sec_ctx_match(pol->security, policy->security) && + !WARN_ON(delpol)) { if (excl) { write_unlock_bh(&xfrm_policy_lock); return -EEXIST; @@ -671,17 +670,12 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl) if (policy->priority > pol->priority) continue; } else if (policy->priority >= pol->priority) { - last = &pol->bydst; + newpos = &pol->bydst; continue; } - if (!newpos) - newpos = &pol->bydst; if (delpol) break; - last = &pol->bydst; } - if (!newpos) - newpos = last; if (newpos) hlist_add_after(newpos, &policy->bydst); else - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
