From: Tobias Brunner Date: Wed, 19 Mar 2025 15:27:39 +0000 (+0100) Subject: kernel-netlink: Add support for acquire sequence numbers X-Git-Tag: 6.0.2dr1~6^2~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b024b7e9a652f10f45fcbffb2c95edeef36be056;p=thirdparty%2Fstrongswan.git kernel-netlink: Add support for acquire sequence numbers Note that while PF_KEYv2 also uses sequence numbers to identify acquires, which we currently don't use correctly by the way, it does not include information about the packet that triggered an acquire. What we receive in src and dst, and currently forward as traffic selectors, are actually the designated endpoints of the SA. So especially in tunnel mode this is useless to do narrowing on the responder (these addresses might not even match the configured TS). --- diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c index df28228853..138e420753 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -1010,12 +1010,12 @@ static void process_acquire(private_kernel_netlink_ipsec_t *this, break; default: /* acquire for AH/ESP only, not for IPCOMP */ - return; } data.src = selector2ts(&acquire->sel, TRUE); data.dst = selector2ts(&acquire->sel, FALSE); data.label = label.len ? sec_label_from_encoding(label) : NULL; + data.seq = acquire->seq; charon->kernel->acquire(charon->kernel, reqid, &data); @@ -1188,7 +1188,7 @@ CALLBACK(receive_events, void, METHOD(kernel_ipsec_t, get_features, kernel_feature_t, private_kernel_netlink_ipsec_t *this) { - return KERNEL_ESP_V3_TFC | KERNEL_POLICY_SPI | + return KERNEL_ESP_V3_TFC | KERNEL_POLICY_SPI | KERNEL_ACQUIRE_SEQ | (this->sa_lastused ? KERNEL_SA_USE_TIME : 0); } @@ -1751,6 +1751,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, sa->id.proto = id->proto; sa->family = id->src->get_family(id->src); sa->mode = mode2kernel(mode); + sa->seq = data->seq; if (!data->copy_ecn) {