updated patch - (was Re: fix for IPSEC-IPV4 breakage)
Andrew Atrens
atrens at nortelnetworks.com
Mon Oct 18 08:51:54 PDT 2004
Folks,
After reading some mbuf documentation and doing some more testing I've
updated my patch. I've tested it with both IPSEC and FAST_IPSEC, and it
appears to work. I suppose that I haven't tested everything, but nfs/udp and
nfs/tcp work, as do telnet, ftp and ping, so it's encouraging but far from
final. :)
Andrew.
--- /usr/src/sys/netinet6/esp_core.c 2004-06-02 10:43:01.000000000 -0400
+++ esp_core.c 2004-10-18 08:33:56.000000000 -0400
@@ -765,7 +765,36 @@
m_freem(scut->m_next);
scut->m_len = scutoff;
- scut->m_next = d0;
+ if ( d0 ) {
+ /*
+ * tcp_input/udp_input want the entire packet header
+ * to be in the same, first mbuf.
+ *
+ * To accomplish this we need to copy back the decrypted
+ * contents of d0 into the head mbuf.
+ */
+ if ( d0->m_len + scutoff <= MHLEN ) {
+ bcopy( mtod(d0, u_int8_t *),
+ mtod(scut, u_int8_t *) + scutoff, d0->m_len );
+ scut->m_len += d0->m_len; /* adjust length */
+ scut->m_next = d0->m_next;/* link in d0's chain */
+ d0->m_next = 0; /* isolate d0 */
+ m_freem(d0); /* free d0 */
+ } else {
+ u_int8_t *d0base = mtod(d0, u_int8_t *);
+ int scutlen = MHLEN - scutoff; /* data to back-copy */
+ int d0len = d0->m_len - scutlen; /* length to perserve */
+ bcopy( d0base,
+ mtod(scut, u_int8_t *) + scutoff, scutlen );
+ for ( ; d0len ; d0base++, d0len-- )
+ *d0base = d0base[scutlen];
+ scut->m_len += scutlen; /* adjust length of head mbuf */
+ d0->m_len -= scutlen; /* shrink d0 */
+ scut->m_next = d0; /* link in */
+ }
+ } else {
+ scut->m_next = 0; /* no d0, so no chain */
+ }
/* just in case */
bzero(iv, sizeof(iv));
More information about the Submit
mailing list