Bug 176455 - [CM] [RHEL4] IPSec Kernel Bug
[CM] [RHEL4] IPSec Kernel Bug
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jeff Layton
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-12-22 18:03 EST by Bryan Mason
Modified: 2014-06-18 03:35 EDT (History)
4 users (show)

See Also:
Fixed In Version: RHBA-2007-0304
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-01 19:59:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
backport of immediate SA switchover patch from upstream (1.86 KB, patch)
2006-10-04 09:33 EDT, Jeff Layton
no flags Details | Diff
respun patch, include dst->obsolete < 0 check (2.65 KB, patch)
2006-10-04 10:01 EDT, Jeff Layton
no flags Details | Diff

  None (edit)
Comment 1 David Miller 2005-12-24 04:44:23 EST
I already cooked up a patch so I'll take this.
Comment 6 Jeff Layton 2006-10-04 09:33:22 EDT
Created attachment 137740 [details]
backport of immediate SA switchover patch from upstream

Instead of using RHEL3's patch as a base, I backported the original upstream
patch here, since it was a little closer to the RHEL4 codebase. The original
patch is here:

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=399c180ac5f0cb66ef9479358e0b8b6bafcbeafe


There is another patch, however, that we might want to consider, which looks
like it fixed some deficiencies of the original patch:

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d49c73c729e2ef644558a1f441c044bfacdc9744


Dave, you're more familiar with this code than I. Should I backport that one
too?
Comment 7 Jeff Layton 2006-10-04 10:01:50 EDT
Created attachment 137743 [details]
respun patch, include dst->obsolete < 0 check

Respun patch that includes the later patch to correct the case when
dst->obsolete < 0.
Comment 8 David Miller 2006-10-04 16:40:27 EDT
Good catch Jeff, yes that second bit with the dst->obsolete check
is needed.
Comment 9 Jeff Layton 2006-10-24 07:28:52 EDT
The patch seems to have fixed the customer's Linux-Linux renegotiation problems,
but Linux-Windows doesn't seem to be working correctly still. Going to see if I
can crank up debugging in racoon and get some idea of why it's not occurring.

Essentially, network captures show the ISAKMP messages being sent back and forth
for rekeying, but the sequence number of the packets following that don't get
reset back to 1. I'm presuming this means that the rekeying failed for some reason.
Comment 11 Jeff Layton 2006-11-28 15:01:18 EST
I'm planning to post the patch here soon, so I'll go ahead and grab this from Dave.
Comment 13 Jason Baron 2006-12-04 14:16:10 EST
committed in stream U5 build 42.28. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 15 RHEL Product and Program Management 2006-12-11 10:40:57 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 16 Jay Turner 2006-12-11 12:51:50 EST
QE ack for 4.5.
Comment 20 Mike Gahagan 2007-03-29 11:04:11 EDT
Patch is in -52 and the customer has been using a hotfix kernel already for some
time.
Comment 22 Red Hat Bugzilla 2007-05-01 19:59:50 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0304.html

Note You need to log in before you can comment on or make changes to this bug.