[redhat-lspp] Inbound XFRM state during forwarding
Paul Moore
paul.moore at hp.com
Fri Oct 20 16:02:09 UTC 2006
During the LSPP conference call this past Monday (10/16) it was realized that
one of the main reasons for wanting to use the sk_buff->secmark field was that
labeled IPsec needed the field to preserve the packet's context in the case of
forwarding.
I just spent the past couple of hours looking at the kernel trying to trace an
IPsec packet's path through the stack from when it first enters to when it
leaves through the forwarding path. From what I can tell it appears that the
XFRM state is kept in the sk_buff->sp field for inbound transforms and in the
sk_buff->dst->xfrm field for outbound transforms. Unless I missed something
somewhere (very possibile, I was looking at a *lot* of code this morning) it
seems like we should be able to retrieve the context from the inbound SAs
without problem, eliminating the need to overload/split/etc. the
sk_buff->secmark field.
If I'm wrong about the XFRM state could someone please correct me?
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list