kernel-netlink: Add support for acquire sequence numbers

Note that while PF_KEYv2 also uses sequence numbers to identify acquires,
which we currently don't use correctly by the way, it does not include
information about the packet that triggered an acquire.  What we receive
in src and dst, and currently forward as traffic selectors, are actually
the designated endpoints of the SA. So especially in tunnel mode this is
useless to do narrowing on the responder (these addresses might not even
match the configured TS).

diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index df2822885312a5b172460baab13faba884badf31..138e420753ff95bb426e9697493c3665f5072b15 100644 (file)
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1010,12 +1010,12 @@ static void process_acquire(private_kernel_netlink_ipsec_t *this,
                        break;
                default:
                        /* acquire for AH/ESP only, not for IPCOMP */
-
                        return;
        }
        data.src = selector2ts(&acquire->sel, TRUE);
        data.dst = selector2ts(&acquire->sel, FALSE);
        data.label = label.len ? sec_label_from_encoding(label) : NULL;
+       data.seq = acquire->seq;
 
        charon->kernel->acquire(charon->kernel, reqid, &data);
 
@@ -1188,7 +1188,7 @@ CALLBACK(receive_events, void,
 METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
        private_kernel_netlink_ipsec_t *this)
 {
-       return KERNEL_ESP_V3_TFC | KERNEL_POLICY_SPI |
+       return KERNEL_ESP_V3_TFC | KERNEL_POLICY_SPI | KERNEL_ACQUIRE_SEQ |
                        (this->sa_lastused ? KERNEL_SA_USE_TIME : 0);
 }
 
@@ -1751,6 +1751,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
        sa->id.proto = id->proto;
        sa->family = id->src->get_family(id->src);
        sa->mode = mode2kernel(mode);
+       sa->seq = data->seq;
 
        if (!data->copy_ecn)
        {