Fix XFRM-I support for nested ESP tunnels
stable inclusion from stable-v5.10.171 commit 887975834dea744dde636dd73bbd1e597f211d7d category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7V9QX Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=887975834dea744dde636dd73bbd1e597f211d7d ---------------------------------------------------- [ Upstream commit b0355dbb ] This change adds support for nested IPsec tunnels by ensuring that XFRM-I verifies existing policies before decapsulating a subsequent policies. Addtionally, this clears the secpath entries after policies are verified, ensuring that previous tunnels with no-longer-valid do not pollute subsequent policy checks. This is necessary especially for nested tunnels, as the IP addresses, protocol and ports may all change, thus not matching the previous policies. In order to ensure that packets match the relevant inbound templates, the xfrm_policy_check should be done before handing off to the inner XFRM protocol to decrypt and decapsulate. Notably, raw ESP/AH packets did not perform policy checks inherently, whereas all other encapsulated packets (UDP, TCP encapsulated) do policy checks after calling xfrm_input handling in the respective encapsulation layer. Test: Verified with additional Android Kernel Unit tests Signed-off-by:Benedict Wong <benedictwong@google.com> Signed-off-by:
Loading
Please sign in to comment