53 lines
1.6 KiB
Diff
53 lines
1.6 KiB
Diff
From 0b91406427cf7292d61900991fd665f076b6d43f Mon Sep 17 00:00:00 2001
|
|
From: Daiki Ueno <dueno@redhat.com>
|
|
Date: Tue, 2 Jul 2024 20:37:07 +0900
|
|
Subject: [PATCH] tcp: call kernel_ops->poke_ipsec_policy_hole before connect
|
|
|
|
This fixes ondemand initiation with TCP. Without the policy hole, a
|
|
TCP handshake will not complete, as it cannot receive SYN-ACK packet
|
|
in plaintext and thus connect blocks until timeout.
|
|
|
|
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
Signed-off-by: Andrew Cagney <cagney@gnu.org>
|
|
---
|
|
programs/pluto/iface_tcp.c | 16 +++++++++-------
|
|
1 file changed, 9 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/programs/pluto/iface_tcp.c b/programs/pluto/iface_tcp.c
|
|
index c63e8bfe4d..55fe639174 100644
|
|
--- a/programs/pluto/iface_tcp.c
|
|
+++ b/programs/pluto/iface_tcp.c
|
|
@@ -473,6 +473,15 @@ struct iface_endpoint *connect_to_tcp_endpoint(struct iface_dev *local_dev,
|
|
return NULL;
|
|
}
|
|
|
|
+ /* This needs to be called before connect, so TCP handshake
|
|
+ * (in plaintext) completes. */
|
|
+ if (kernel_ops->poke_ipsec_policy_hole != NULL &&
|
|
+ !kernel_ops->poke_ipsec_policy_hole(fd, afi, logger)) {
|
|
+ /* already logged */
|
|
+ close(fd);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
/*
|
|
* Connect
|
|
*
|
|
@@ -551,13 +560,6 @@ struct iface_endpoint *connect_to_tcp_endpoint(struct iface_dev *local_dev,
|
|
}
|
|
}
|
|
|
|
- if (kernel_ops->poke_ipsec_policy_hole != NULL &&
|
|
- !kernel_ops->poke_ipsec_policy_hole(fd, afi, logger)) {
|
|
- /* already logged */
|
|
- close(fd);
|
|
- return NULL;
|
|
- }
|
|
-
|
|
struct iface_endpoint *ifp =
|
|
alloc_iface_endpoint(fd, local_dev, &iketcp_iface_io,
|
|
/*esp_encapsulation_enabled*/true,
|
|
--
|
|
2.45.2
|
|
|