| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 11 Dec 2007 22:37:06 -0500
From: Yogesh Raju Sreenivasan <sreeniva@....psu.edu>
To: netdev@...r.kernel.org
Subject: Labeled IPsec with NAT
I am working on setting up Labeled IPsec along with iptables nat
rules. Once I insert nat related rules, the ipsec connection breaks
and the system tries to re-negotiate and creates multiple SAs. I am
using 2.6.19 kernel (with Venkat's MLSXFRM patches & bugfixes). I
guess those were incorporated into the 2.6.20 kernel.
In my case, the function ip_route_me_harder() calls the xfrm_lookup()
second time which is causing the re-negotiation. I believe it is
because the flowi->secid field is not set during the second
xfrm_lookup() call. The ip_route_me_harder() function also calls the
xfrm_decode_session() which I guess creates/fills the flowi details
and selinux_xfrm_decode_session fills the flowi->secid from the
skbuff->sec_path field. But since the skbuff->secpath field is not
set, the flowi->secid field is reset to 0 on the decode_session()
call. It seems like we have to fill in the secpath while creating the
skbuff, before calling the xfrm_decode_session, for the output flow.
Please do let me know if someone has already looked into this issue
and would be helpful if you could guide me with this. If someone has
already tested labeled ipsec with NAT and if my understanding is not
correct do let me know, I am new to linux kernel and finding it
difficult to reason out the exact cause.
Thanks
Yogesh
Download attachment "PGP.sig" of type "application/pgp-signature" (187 bytes)
Powered by blists - more mailing lists