_decode_session6 issue when ipsec packet re routing

From: nickcave
Date: Wed May 07 2014 - 04:10:53 EST


Hi All:

I am working on android kk4.4 with kernel version 3.10.
I met a problem in IPSec + Ipv6 + Iptables mangle set.

I built a non default network face ccinet0 with ip address
fd00:0:20:1::1:1 and some mangle rules be added (I attached it in the
end ). Then I add an ipsec SA by ip xfrm and try send UDP packet to
fd00:0:20:1::1:4, and I found the packet be send out in plaintext.

Once I delete the mangle rule, It's work well.

So I traced the kernel.

Since the mangle table mark be set.
In ip6t_mangle_out, when the ip6t_do_table be called, the skb need
re-routing by call ip6_route_me_harder.

The result was xfrm policy could not be match in ip6_route_me_harder
and the packet send out in plaintext.

I found it's caused by
ip6_route_me_harderâ>xfrm_decode_session->_decode_session6 the
function get nexthdr from cb ,which is not correct in this case.
u8 nexthdr = nh[IP6CB(skb)->nhoff]; //in my case, the nexthdr is
always 96,which caused the issue

And I checked the ipv4 code, ipv4 get the protocal info from skb header directly
const struct iphdr *iph = ip_hdr(skb);

Is it a kernel issue?

Hui Zhang


root@localhost:/ # ip6tables -S -t mangle
ip6tables -S -t mangle
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N bw_mangle_POSTROUTING
-N idletimer_mangle_POSTROUTING
-N st_mangle_EXEMPT
-N st_mangle_OUTPUT
-N st_mangle_POSTROUTING
-A OUTPUT -j st_mangle_EXEMPT
-A OUTPUT -j st_mangle_OUTPUT
-A POSTROUTING -j bw_mangle_POSTROUTING
-A POSTROUTING -j idletimer_mangle_POSTROUTING
-A POSTROUTING -j st_mangle_POSTROUTING
-A bw_mangle_POSTROUTING -m owner --socket-exists
-A st_mangle_EXEMPT -d fd00:0:20:1::1:4/128 -j MARK --set-xmark 0x1/0xffffffff
-A st_mangle_EXEMPT -d fd00:0:20:1::1:5/128 -j MARK --set-xmark 0x1/0xffffffff
-A st_mangle_OUTPUT -m mark --mark 0x1 -j RETURN
-A st_mangle_OUTPUT -m owner --uid-owner 1016 -j RETURN


root@localhost:/ # ip -6 rule
ip -6 rule
0: from all lookup local
99: from all to fd00:0:20:1::1:4 lookup main
99: from all to fd00:0:20:1::1:5 lookup main
32766: from all lookup main
32767: from all lookup default

255|root@localhost:/ # ip -6 route list table all
ip -6 route list table all
default dev ccinet0 table 61 metric 1024
unreachable default dev lo table 0 proto kernel metric 4294967295 error -101
unreachable default dev lo table 0 proto kernel metric 4294967295 error -101
fd00:0:0:2::/64 dev ccinet0 proto kernel metric 256
fd00:0:20:1::1:4 dev ccinet0 metric 1024
fd00:0:20:1::1:5 dev ccinet0 metric 1024
fe80::/64 dev ccinet0 proto kernel metric 256
unreachable default dev lo table 0 proto kernel metric 4294967295 error -101
local ::1 dev lo table local proto none metric 0
local fd00:0:0:2::1 dev lo table local proto none metric 0
local fe80::1 dev lo table local proto none metric 0
ff00::/8 dev ccinet0 table local metric 256
unreachable default dev lo table 0 proto kernel metric 4294967295 error -101
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/