[redhat-lspp] RE: [IPSEC] flow: Cache negative results
Venkat Yekkirala
vyekkirala at trustedcs.com
Fri Jan 12 22:22:11 UTC 2007
> In our lspp kernel, xfrm_policy_lookup() returns -ESRCH to
> flow_cache_lookup() when he is not able to find a policy.
> (as is the case with unlabeled_packets)
> flow_cache_lookup() then processes this as an error.
>
> In the upstream kernel (I have been looking at 2.6.20-rc3-git4),
> xfrm_policy_lookup() returns 0 in this case...
>
> flow_cache_lookup() then treats it as an error in lspp kernel
> and as a success in the 2.6.0-rc3-git4 kernel.org kernel.
>
> I tried the following patch and I was finally able to receive
> unlabeled packets in lspp kernel when a single ipsec policy
> is entered!
Right on the dot. Seems like the bug was introduced when backporting
patch 2 from the following patch series (IPSec leak patch) to the lspp
kernel:
http://marc.theaimsgroup.com/?l=linux-netdev&m=116041139109839&w=2
Like you mentioned, this is appplicable only to the lspp kernel.
>
> Please let me know if this looks ok and I am not
> jumping the gun. This only applies to our lspp kernel
> and was built against lspp62 kernel.
>
> Regards,
> Joy
>
> diff -urpN linux-2.6.18.ppc64.orig/net/xfrm/xfrm_policy.c
> linux-2.6.18.ppc64/net/xfrm/xfrm_policy.c
> --- linux-2.6.18.ppc64.orig/net/xfrm/xfrm_policy.c 2007-01-11
> 15:56:23.000000000 -0600
> +++ linux-2.6.18.ppc64/net/xfrm/xfrm_policy.c 2007-01-11
> 16:28:10.000000000 -0600
> @@ -609,7 +609,7 @@ static int xfrm_policy_lookup(struct flo
> void **objp, atomic_t **obj_refp)
> {
> struct xfrm_policy *pol;
> - int ret = -ESRCH;
> + int ret = 0;
>
> read_lock_bh(&xfrm_policy_lock);
> for (pol = xfrm_policy_list[dir]; pol; pol = pol->next) {
> @@ -627,6 +627,8 @@ static int xfrm_policy_lookup(struct flo
> xfrm_pol_hold(pol);
> break;
> }
> + if (ret == -ESRCH)
> + ret = 0;
> }
> }
> read_unlock_bh(&xfrm_policy_lock);
>
>
>
>
More information about the redhat-lspp
mailing list