[Swan-dev] text_said() calls in create_xfrm_migrate_sa() puzzle me

D. Hugh Redelmeier hugh at mimosa.com
Sat Jun 19 19:34:56 UTC 2021


I don't understand this code but I'm "improving" it, based on symmetry.
I've hit a snag.  Advice welcome!

There are four calls to text_said.  Here's what they look like, with
details removed:

	if (endpoint_is_specified(st->st_mobike_local_endpoint)) {
		if (dir == XFRM_POLICY_IN || dir == XFRM_POLICY_FWD) {
			src = &c->spd.that.host_addr;
			dst = &c->spd.this.host_addr;
			set_text_said(n, dst, sa.spi, proto);
		} else {
			src = &c->spd.this.host_addr;
			dst = &c->spd.that.host_addr;
			set_text_said(n, src, sa.spi, proto);
		}
	} else {
		if (dir == XFRM_POLICY_IN || dir == XFRM_POLICY_FWD) {
			src = &c->spd.that.host_addr;
			dst = &c->spd.this.host_addr;
			set_text_said(n, src, sa.spi, proto);
		} else {
			src = &c->spd.this.host_addr;
			dst = &c->spd.that.host_addr;
			set_text_said(n, dst, sa.spi, proto);
			}
		}
	}

I'm a little surprised and puzzled that the second args to
set_text_said calls go
	dst
	src
	src
	dst
My intuition says that these should each be "dst".

Even if that's not correct, it feels as if the either the first pair
or the second pair is reversed.

Note: the text_said only appears in logging so being wrong has no
serious consequences.

Observations:

If !(dir == XFRM_POLICY_IN || dir == XFRM_POLICY_FWD)
then dir == XFRM_POLICY_OUT.

Kernel IPSec SA's are unidirectional.
The SAID includes the destination address of packets carried by the SA.
I think that in each case, the destination address is "dst".

There are currently three calls to this function, all within one 
statement of the function netlink_migrate_sa:
	return
		create_xfrm_migrate_sa(st, XFRM_POLICY_OUT, &sa, mig_said) &&
		migrate_xfrm_sa(&sa, st->st_logger) &&

		create_xfrm_migrate_sa(st, XFRM_POLICY_IN, &sa, mig_said) &&
		migrate_xfrm_sa(&sa, st->st_logger) &&

		create_xfrm_migrate_sa(st, XFRM_POLICY_FWD, &sa, mig_said) &&
		migrate_xfrm_sa(&sa, st->st_logger);


dir is the second argument of create_xfrm_migrate_sa.  Clearly it can
only have one of three values: XFRM_POLICY_OUT, XFRM_POLICY_IN,
XFRM_POLICY_FWD.  So the test of dir could be simplified to
	dir != XFRM_POLICY_OUT

Each IPSec SA is unidirectional.  That's why they come in pairs, one
for each direction.

The SAID is a triple: destination IP, SPI, protocol (eg. AH or ESP).

The test dir == XFRM_POLICY_IN || dir == XFRM_POLICY_FWD must be
telling us whether we're dealing with an inbound SA.  If it's true, it
must be inbound.


More information about the Swan-dev mailing list