[Swan-commit] Changes to ref refs/heads/master
Andrew Cagney
cagney at vault.libreswan.fi
Wed Jun 3 15:29:33 UTC 2020
New commits:
commit ec39b0b36f361238a4fdf645fe3c281deb27e14e
Author: Andrew Cagney <cagney at gnu.org>
Date: Wed Jun 3 11:05:46 2020 -0400
bsd: add hacks to revive tunnel mode (and hopefully not break tunnel mode)
It looks like tunnel mode did, at some point work. It's just that all
the parts surounding kernel-bsdkame have been shuffled to the point of
confusion.
Transport mode needs:
pfkey_send_add(outgoing ESP/AH)
pfkey_send_add(incomming ESP/AH)
pfkey_send_spddb(outgoing transport)
while for tunnel mode:
pfkey_send_add(outgoing ESP/AH)
pfkey_send_add(incomming ESP/AH)
pfkey_send_spddb(outgoing tunnel)
pfkey_send_spddb(incomming tunnel)
Ref: http://www.netbsd.org/docs/network/ipsec/
But what's happening in setup_half_ipsec_sa() is (bsd had
.inbound_eroute=false):
if (!kernel->inbound_eroute)
call add_sa(IPIP)
which makes no sense and caused BSD to abort
call add_sa() for the SA (ESP, AH, ...) aka pfkey_send_add()
if (kernel->inbound_eroute)
call raw_eroute("inbound") aka pfkey_send_spdadd(outbound)
...
the eroute code then calls raw_eroute("outbound") aka
pfkey_send_spdadd(inbound)
So:
- I've no clue as to what the add_sa(IPIP) is trying to do
- the way raw_eroute() is called just seems bizare
This patch changes BSD's .inbound_eroute to TRUE and then adds a hack
so that the inbound eroute isn't installed when transport mode.
(if you're looking for good news, grep for inbound_eroute).
More information about the Swan-commit
mailing list