[Swan-dev] text_said() calls in create_xfrm_migrate_sa() puzzle me

Antony Antony antony at phenome.org
Mon Jun 21 22:54:12 UTC 2021 

Hugh,

you spotted a bug in debug output.

I think the idea is to log <spi>@<old addres> <new address> reqid=<reqid>.
either dst or src would change. I also recollect trying to log the ports 
when there is encap.

debug output is in:
https://testing.libreswan.org/v4.4-483-g292ec75828-main/ikev2-mobike-05-gcm/OUTPUT/north.pluto.log.gz
Jun 19 16:14:55.733085: | initiator migrate kernel SA esp.626c3e9e at 192.1.3.33:500 to 192.1.8.22:500 reqid=16389 XFRM_OUT
Jun 19 16:14:55.733219: | TCP/NAT: encap type 0(none)
Jun 19 16:14:55.733283: | initiator migrate kernel SA esp.792cc8f at 192.1.3.33:500 to 192.1.8.22:500 reqid=16389 XFRM_IN
Jun 19 16:14:55.733376: | TCP/NAT: encap type 0(none)
Jun 19 16:14:55.733450: | initiator migrate kernel SA esp.792cc8f at 192.1.3.33:500 to 192.1.8.22:500 reqid=16389 XFRM_FWD

IP and ports should match output in "ip xfrm" both state and policy.

https://testing.libreswan.org/v4.4-483-g292ec75828-main/ikev2-mobike-05-gcm/OUTPUT/north.console.verbose.txt

-antony

On Sat, Jun 19, 2021 at 03:34:56PM -0400, D. Hugh Redelmeier wrote:
> I don't understand this code but I'm "improving" it, based on symmetry.
> I've hit a snag.  Advice welcome!
> 
> There are four calls to text_said.  Here's what they look like, with
> details removed:
> 
> 	if (endpoint_is_specified(st->st_mobike_local_endpoint)) {
> 		if (dir == XFRM_POLICY_IN || dir == XFRM_POLICY_FWD) {
> 			src = &c->spd.that.host_addr;
> 			dst = &c->spd.this.host_addr;
> 			set_text_said(n, dst, sa.spi, proto);
> 		} else {
> 			src = &c->spd.this.host_addr;
> 			dst = &c->spd.that.host_addr;
> 			set_text_said(n, src, sa.spi, proto);
> 		}
> 	} else {
> 		if (dir == XFRM_POLICY_IN || dir == XFRM_POLICY_FWD) {
> 			src = &c->spd.that.host_addr;
> 			dst = &c->spd.this.host_addr;
> 			set_text_said(n, src, sa.spi, proto);
> 		} else {
> 			src = &c->spd.this.host_addr;
> 			dst = &c->spd.that.host_addr;
> 			set_text_said(n, dst, sa.spi, proto);
> 			}
> 		}
> 	}
> 
> I'm a little surprised and puzzled that the second args to
> set_text_said calls go
> 	dst
> 	src
> 	src
> 	dst
> My intuition says that these should each be "dst".
> 
> Even if that's not correct, it feels as if the either the first pair
> or the second pair is reversed.
> 
> Note: the text_said only appears in logging so being wrong has no
> serious consequences.
> 
> Observations:
> 
> If !(dir == XFRM_POLICY_IN || dir == XFRM_POLICY_FWD)
> then dir == XFRM_POLICY_OUT.
> 
> Kernel IPSec SA's are unidirectional.
> The SAID includes the destination address of packets carried by the SA.
> I think that in each case, the destination address is "dst".
> 
> There are currently three calls to this function, all within one 
> statement of the function netlink_migrate_sa:
> 	return
> 		create_xfrm_migrate_sa(st, XFRM_POLICY_OUT, &sa, mig_said) &&
> 		migrate_xfrm_sa(&sa, st->st_logger) &&
> 
> 		create_xfrm_migrate_sa(st, XFRM_POLICY_IN, &sa, mig_said) &&
> 		migrate_xfrm_sa(&sa, st->st_logger) &&
> 
> 		create_xfrm_migrate_sa(st, XFRM_POLICY_FWD, &sa, mig_said) &&
> 		migrate_xfrm_sa(&sa, st->st_logger);
> 
> 
> dir is the second argument of create_xfrm_migrate_sa.  Clearly it can
> only have one of three values: XFRM_POLICY_OUT, XFRM_POLICY_IN,
> XFRM_POLICY_FWD.  So the test of dir could be simplified to
> 	dir != XFRM_POLICY_OUT
> 
> Each IPSec SA is unidirectional.  That's why they come in pairs, one
> for each direction.
> 
> The SAID is a triple: destination IP, SPI, protocol (eg. AH or ESP).
> 
> The test dir == XFRM_POLICY_IN || dir == XFRM_POLICY_FWD must be
> telling us whether we're dealing with an inbound SA.  If it's true, it
> must be inbound.
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev

More information about the Swan-dev mailing list