NetBSD Problem Report #56783

From www@netbsd.org  Wed Apr  6 18:11:24 2022
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 60D1C1A921F
	for <gnats-bugs@gnats.NetBSD.org>; Wed,  6 Apr 2022 18:11:24 +0000 (UTC)
Message-Id: <20220406181122.E5AD31A923B@mollari.NetBSD.org>
Date: Wed,  6 Apr 2022 18:11:22 +0000 (UTC)
From: andrew.cagney@gmail.com
Reply-To: andrew.cagney@gmail.com
To: gnats-bugs@NetBSD.org
Subject: support the sadb_x_policy_priority extension
X-Send-Pr-Version: www-1.0

>Number:         56783
>Category:       kern
>Synopsis:       support the sadb_x_policy_priority extension
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Apr 06 18:15:00 +0000 2022
>Originator:     Andrew
>Release:        mainline
>Organization:
>Environment:
N/A
>Description:
Given two identical policies.  One with and one without corresponding state, it isn't possible to specify which should be prefered.  Linux and, I suspect, FreeBSD resolve this by specifying the policy's priority (the sadb_x_policy_priority extension) (smallest wins).

For instance (I suspect this requires the spd acquire extension, which is also missing but i digress) given a policy with no state vis:

  192.1.2.45[any] 192.1.2.23[any] 255(reserved)
   out ipsec

an outgoing packet to 192.1.2.23 will trigger an acquire event so that the IKE daemon can establish an IPsec tunnel (installing policy+state):

  192.1.2.45[any] 192.1.2.23[any] 255(reserved)
   out ipsec
       esp/transport/192.1.2.45-192.1.2.23/require
     spid=2 seq=0 pid=794
    refcnt=0

the problem is that the two policies have identical src/dst.  Having a priority field lets the kernel resolve this.



>How-To-Repeat:

>Fix:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.