I am working on setting up Labeled IPsec along with iptables nat rules. Once I insert nat related rules, the ipsec connection breaks and the system tries to re-negotiate and creates multiple SAs. I am using 2.6.19 kernel (with Venkat's MLSXFRM patches & bugfixes). I guess those were incorporated into the 2.6.20 kernel.
In my case, the function ip_route_me_harder() calls the xfrm_lookup() second time which is causing the re-negotiation. I believe it is because the flowi->secid field is not set during the second xfrm_lookup() call. The ip_route_me_harder() function also calls the xfrm_decode_session() which I guess creates/fills the flowi details and selinux_xfrm_decode_session fills the flowi->secid from the skbuff->sec_path field. But since the skbuff->secpath field is not set, the flowi->secid field is reset to 0 on the decode_session() call. It seems like we have to fill in the secpath while creating the skbuff, before calling the xfrm_decode_session, for the output flow.
Please do let me know if someone has already looked into this issue and would be helpful if you could guide me with this. If someone has already tested labeled ipsec with NAT and if my understanding is not correct do let me know, I am new to linux kernel and finding it difficult to reason out the exact cause.
Thanks Yogesh
PGP.sig
Description: This is a digitally signed message part
