Hello, I'm currently hacking on /usr/src/sys/net/pfkey* because I urgently need to prevent the kernel from installing SAs with the value "default" for both sides. In case I got the terminology wrong, I need to prevent this situation, as it brings down networking completely:
> 0/0 0 0/0 0 0 gatewayIP/50/use/in > 0/0 0 0/0 0 0 gatewayIP/50/require/out Or, as shown in 4.6 by ipsecctl: ... flow esp in from 172.18.100.139 to 0.0.0.0/0 peer 87.186.99.179 srcid gatewayip/32 dstid uf...@example.com type use flow esp out from 0.0.0.0/0 to 172.18.100.139 peer 87.186.99.179 srcid gatewayip/32 dstid uf...@example.com type require flow esp in from 0.0.0.0/0 to 0.0.0.0/0 peer 87.186.99.179 srcid gatewayip/32 dstid uf...@example.com type use flow esp out from 0.0.0.0/0 to 0.0.0.0/0 peer 87.186.99.179 srcid gatewayip/32 dstid uf...@example.com type require ... I'm trying to prevent the two flows flow esp in from 0.0.0.0/0 to 0.0.0.0/0 peer 87.186.99.179 srcid gatewayip/32 dstid uf...@example.com type use flow esp out from 0.0.0.0/0 to 0.0.0.0/0 peer 87.186.99.179 srcid gatewayip/32 dstid uf...@example.com type require from getting established. It would be kind if you could tell me whether I'm reading the code correctly so far: In pfkeyv2_parsemessage.c's int pfkeyv2_parsemessage(void *p, int len, void **headers), p and len are input parameters, and headers is an output parameter. In pfkeyv2.c, int pfkeyv2_send(struct socket *socket, void *message, int len) is the central place where all messages that eg. isakmpd might send to the kernel, pass through. That's what the comment suggests. I'm thinking about putting a check after this statement: smsg = (struct sadb_msg *) headers[0]; in the function pfkeyv2_send() (around line 913) that makes the function print an error message and stop processing if the 'message' argument would lead to the creation of a flow like the one shown above. It would be nice if someone could make a short statement about what the different names are for, eg. what's the difference between SADB_EXT_ADDRESS_SRC and SADB_X_EXT_SRC_FLOW, or more generally, what the '_X' in the name should tell me. I'd also be very grateful if you could tell which message types I should be looking at, out of the list of #defines below this #define in sys/net/pfkeyv2.h: #define _OPENBSD_IPSEC_API_VERSION 2 TIA! Kind regards, --Toni++
