[prev in list] [next in list] [prev in thread] [next in thread] 

List:       keepalived-devel
Subject:    [Keepalived-devel] fix incorrect ipsec ah for kernel filled-in ip id
From:       Siim_Põder <siim () p6drad-teel ! net>
Date:       2009-02-04 12:30:00
Message-ID: 49898A48.1020706 () p6drad-teel ! net
[Download RAW message or body]

Hi

If using AH auth for vrrp, ip_id = 0 will be filled in by kernel,
invalidating the IPSEC AH. This results in daily log messages
complaining about those packets. Something along these lines will fix
the behaviour for 1.1.12 (quick glance at 1.1.15 suggested it was not
fixed there either):

--- keepalived_orig/keepalived/vrrp/vrrp.c	2009-02-04 14:07:00.000000000
+0200
+++ keepalived_patched/keepalived/vrrp/vrrp.c	2009-02-04
14:08:09.000000000 +0200
@@ -316,7 +316,10 @@
 	ip->tos = 0;
 	ip->tot_len = ip->ihl * 4 + vrrp_hd_len(vrrp);
 	ip->tot_len = htons(ip->tot_len);
-	ip->id = ++vrrp->ip_id;
+	ip->id = htons(++vrrp->ip_id);
+	/* kernel will fill in ID if left to 0, so we overflow to 1 */
+	if (vrrp->ip_id == 65535)
+		vrrp->ip_id = 1;
 	ip->frag_off = 0;
 	ip->ttl = VRRP_IP_TTL;

------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
_______________________________________________
Keepalived-devel mailing list
Keepalived-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/keepalived-devel
[prev in list] [next in list] [prev in thread] [next in thread]