[Swan-commit] Changes to ref refs/heads/master

Andrew Cagney cagney at vault.libreswan.fi
Wed Jun 3 15:29:33 UTC 2020

New commits:
commit ec39b0b36f361238a4fdf645fe3c281deb27e14e
Author: Andrew Cagney <cagney at gnu.org>
Date:   Wed Jun 3 11:05:46 2020 -0400

    bsd: add hacks to revive tunnel mode (and hopefully not break tunnel mode)
    It looks like tunnel mode did, at some point work.  It's just that all
    the parts surounding kernel-bsdkame have been shuffled to the point of
    Transport mode needs:
      pfkey_send_add(outgoing ESP/AH)
      pfkey_send_add(incomming ESP/AH)
      pfkey_send_spddb(outgoing transport)
    while for tunnel mode:
      pfkey_send_add(outgoing ESP/AH)
      pfkey_send_add(incomming ESP/AH)
      pfkey_send_spddb(outgoing tunnel)
      pfkey_send_spddb(incomming tunnel)
    Ref: http://www.netbsd.org/docs/network/ipsec/
    But what's happening in setup_half_ipsec_sa() is (bsd had
      if (!kernel->inbound_eroute)
        call add_sa(IPIP)
        which makes no sense and caused BSD to abort
      call add_sa() for the SA (ESP, AH, ...) aka pfkey_send_add()
      if (kernel->inbound_eroute)
        call raw_eroute("inbound") aka pfkey_send_spdadd(outbound)
      the eroute code then calls raw_eroute("outbound") aka
    - I've no clue as to what the add_sa(IPIP) is trying to do
    - the way raw_eroute() is called just seems bizare
    This patch changes BSD's .inbound_eroute to TRUE and then adds a hack
    so that the inbound eroute isn't installed when transport mode.
    (if you're looking for good news, grep for inbound_eroute).

More information about the Swan-commit mailing list