lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:	Tue, 11 Dec 2007 22:37:06 -0500
From:	Yogesh Raju Sreenivasan <>
Subject: Labeled IPsec with NAT

I am working on setting up Labeled IPsec along with iptables nat  
rules. Once I insert nat related rules, the ipsec connection breaks  
and the system tries to re-negotiate and creates multiple SAs. I am  
using 2.6.19 kernel (with Venkat's MLSXFRM patches & bugfixes). I  
guess those were incorporated into the 2.6.20 kernel.

In my case, the function ip_route_me_harder() calls the xfrm_lookup()  
second time which is causing the re-negotiation. I believe it is  
because the flowi->secid field is not set during the second  
xfrm_lookup() call. The ip_route_me_harder() function also calls the  
xfrm_decode_session() which I guess creates/fills the flowi details  
and selinux_xfrm_decode_session fills the flowi->secid from the  
skbuff->sec_path field. But since the skbuff->secpath field is not  
set, the flowi->secid field is reset to 0 on the decode_session()  
call. It seems like we have to fill in the secpath while creating the  
skbuff, before calling the xfrm_decode_session, for the output flow.

Please do let me know if someone has already looked into this issue  
and would be helpful if you could guide me with this. If someone has  
already tested labeled ipsec with NAT and if my understanding is not  
correct do let me know, I am new to linux kernel and finding it  
difficult to reason out the exact cause.


Download attachment "PGP.sig" of type "application/pgp-signature" (187 bytes)

Powered by blists - more mailing lists