_decode_session6 issue when ipsec packet re routing
From: nickcave
Date: Wed May 07 2014 - 04:10:53 EST
Hi All:
I am working on android kk4.4 with kernel version 3.10.
I met a problem in IPSec + Ipv6 + Iptables mangle set.
I built a non default network face ccinet0 with ip address
fd00:0:20:1::1:1 and some mangle rules be added (I attached it in the
end ). Then I add an ipsec SA by ip xfrm and try send UDP packet to
fd00:0:20:1::1:4, and I found the packet be send out in plaintext.
Once I delete the mangle rule, It's work well.
So I traced the kernel.
Since the mangle table mark be set.
In ip6t_mangle_out, when the ip6t_do_table be called, the skb need
re-routing by call ip6_route_me_harder.
The result was xfrm policy could not be match in ip6_route_me_harder
and the packet send out in plaintext.
I found it's caused by
ip6_route_me_harderâ>xfrm_decode_session->_decode_session6 the
function get nexthdr from cb ,which is not correct in this case.
u8 nexthdr = nh[IP6CB(skb)->nhoff]; //in my case, the nexthdr is
always 96,which caused the issue
And I checked the ipv4 code, ipv4 get the protocal info from skb header directly
const struct iphdr *iph = ip_hdr(skb);
Is it a kernel issue?
Hui Zhang
root@localhost:/ # ip6tables -S -t mangle
ip6tables -S -t mangle
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N bw_mangle_POSTROUTING
-N idletimer_mangle_POSTROUTING
-N st_mangle_EXEMPT
-N st_mangle_OUTPUT
-N st_mangle_POSTROUTING
-A OUTPUT -j st_mangle_EXEMPT
-A OUTPUT -j st_mangle_OUTPUT
-A POSTROUTING -j bw_mangle_POSTROUTING
-A POSTROUTING -j idletimer_mangle_POSTROUTING
-A POSTROUTING -j st_mangle_POSTROUTING
-A bw_mangle_POSTROUTING -m owner --socket-exists
-A st_mangle_EXEMPT -d fd00:0:20:1::1:4/128 -j MARK --set-xmark 0x1/0xffffffff
-A st_mangle_EXEMPT -d fd00:0:20:1::1:5/128 -j MARK --set-xmark 0x1/0xffffffff
-A st_mangle_OUTPUT -m mark --mark 0x1 -j RETURN
-A st_mangle_OUTPUT -m owner --uid-owner 1016 -j RETURN
root@localhost:/ # ip -6 rule
ip -6 rule
0: from all lookup local
99: from all to fd00:0:20:1::1:4 lookup main
99: from all to fd00:0:20:1::1:5 lookup main
32766: from all lookup main
32767: from all lookup default
255|root@localhost:/ # ip -6 route list table all
ip -6 route list table all
default dev ccinet0 table 61 metric 1024
unreachable default dev lo table 0 proto kernel metric 4294967295 error -101
unreachable default dev lo table 0 proto kernel metric 4294967295 error -101
fd00:0:0:2::/64 dev ccinet0 proto kernel metric 256
fd00:0:20:1::1:4 dev ccinet0 metric 1024
fd00:0:20:1::1:5 dev ccinet0 metric 1024
fe80::/64 dev ccinet0 proto kernel metric 256
unreachable default dev lo table 0 proto kernel metric 4294967295 error -101
local ::1 dev lo table local proto none metric 0
local fd00:0:0:2::1 dev lo table local proto none metric 0
local fe80::1 dev lo table local proto none metric 0
ff00::/8 dev ccinet0 table local metric 256
unreachable default dev lo table 0 proto kernel metric 4294967295 error -101
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/