Revert "Fix XFRM-I support for nested ESP tunnels"
stable inclusion from stable-v5.10.181 commit c5449195f86ec02433a9ef8abe01be11d228fca1 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8GJZJ Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c5449195f86ec02433a9ef8abe01be11d228fca1 -------------------------------- [ Upstream commit 5fc46f94 ] This reverts commit b0355dbb. The reverted commit clears the secpath on packets received via xfrm interfaces to support nested IPsec tunnels. This breaks Netfilter policy matching using xt_policy in the FORWARD chain, as the secpath is missing during forwarding. Additionally, Benedict Wong reports that it breaks Transport-in-Tunnel mode. Fix this regression by reverting the commit until we have a better approach for nested IPsec tunnels. Fixes: b0355dbb ("Fix XFRM-I support for nested ESP tunnels") Link: https://lore.kernel.org/netdev/20230412085615.124791-1-martin@strongswan.org/ Signed-off-by:Martin Willi <martin@strongswan.org> Signed-off-by:
Loading
Please sign in to comment