lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <496784AE.6000505@iki.fi>
Date:	Fri, 09 Jan 2009 19:09:02 +0200
From:	Timo Teräs <timo.teras@....fi>
To:	netdev@...r.kernel.org
Subject: Re: ip xfrm policy semantics

Timo Teräs wrote:
> So what I want is that locally generated / received packages should
> be protected by the ipsec policy. But forwarded GRE packets (that are
> masqueraded) should not get any xfrm treatment.
> 
> It looks like that if xfrm out policy still affects the forwarded packets.
> If I add an overriding policy for the PPTP server, things seem to work
> better. But I'd rather not do that as it's a bit hacky.
> 
> I was not able to find any authoritative place how netfilter and xfrm policies
> and routing interact. The only thing I found was [1], but that seems to be
> inaccurate. Anyone care to shed light on this part?
> 
> [1] http://www.strongswan.org/docs/netfilter.pdf

Ok, I tried to find what the code does. Apparently the ip_forward() calls 
xfrm4_route_forward() which ends up doing __xfrm_route_forward() falling
back to xfrm_lookup() which is fixed to use XFRM_POLICY_OUT. So 'out'
policy is always used; even for packets that are being forwarded.

Ok, now I tried adding:
  policy in  src pptp-server
  policy out dst pptp-server
  policy out dst internal-pptp-client

all with high priority and policy 'none'. Now it looks like the packets
from pptp-client go out to internet properly. The connection tracking
entries are recorded, but the reply packets from pptp-server do not
get back to internal-pptp-client. Apparently the 'none' policy prevents
NAT to work.

And yes, when there is no XFRM policies at all, the PPTP connection
works great.

Any ideas what would the proper way to patch XFRM to distinguish if
forwarded packets should be touched or not?

There's several things that differ:
- gre inner protocol
- gre key
- input interface
- forwarded/local

I'm thinking the easiest way out is to make XFRM GRE aware and add
an upper layer match (like icmp code; we could have gre key). But
I'm out of good ideas how to properly tie the policy to be my
local gre interface specific.

- Timo

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ