Sunday, September 28, 2008

XFRM policy_check

  Today's topic: __xfrm_policy_check.

  First, it extracts flowi's information from skb by _decode_session, and then checks skb->sp. skb->sp records the security path it has walked and you can read xfrm4_rcv to see how does skb->sp initiate(Here i give you a brief image, think about a encapsulation: IP+AH+ESP+L4, so the first security path is AH and next is ESP). While checking, if skb->sp exists, each xfrm_state's selector, which stores PROXY IP(see RFC2367), MUST match the current one IP.
  Secondly, it tries to find policy as possible as it could, if not, it will think the current path needs not to protect and treat the packet as a normal one.But there's an exception that if skb->sp exist at the same time, it should returns error.

  Thirdly, it checks xfrm_state in skb->sp with the corresponding policy.And if skb->sp is null, nothing to be really checked:
xfrm_policy_ok->xfrm_state_ok

No comments: