xfrm: Treat already-verified secpath entries as optional (1f8b6df6) · Commits · Mirrors / git.kernel.org / pub_scm_linux_kernel_git_stable_linux · GitLab

Commit 1f8b6df6 authored May 10, 2023 by

Benedict Wong Committed by Steffen Klassert May 21, 2023

xfrm: Treat already-verified secpath entries as optional

This change allows inbound traffic through nested IPsec tunnels to
successfully match policies and templates, while retaining the secpath
stack trace as necessary for netfilter policies.

Specifically, this patch marks secpath entries that have already matched
against a relevant policy as having been verified, allowing it to be
treated as optional and skipped after a tunnel decapsulation (during
which the src/dst/proto/etc may have changed, and the correct policy
chain no long be resolvable).

This approach is taken as opposed to the iteration in b0355dbb,
where the secpath was cleared, since that breaks subsequent validations
that rely on the existence of the secpath entries (netfilter policies, or
transport-in-tunnel mode, where policies remain resolvable).

Fixes: b0355dbb

 ("Fix XFRM-I support for nested ESP tunnels")
Test: Tested against Android Kernel Unit Tests
Test: Tested against Android CTS
Signed-off-by: Benedict Wong <benedictwong@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

parent 67caf26d

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit cdaa6e11
· Jun 29, 2023

mentioned in commit cdaa6e11

mentioned in commit cdaa6e1105c04195c91484162c5a4e8958b24ec8

Toggle commit list
mirror @mirror
mentioned in commit 491ce3c1
· Jun 29, 2023

mentioned in commit 491ce3c1

mentioned in commit 491ce3c1d98ab39a1deae154d442a560f7de0708

Toggle commit list
mirror @mirror
mentioned in commit 8ea03341
· Jun 29, 2023

mentioned in commit 8ea03341

mentioned in commit 8ea03341f78ab916c64b26f283ffb12eb6737f2d

Toggle commit list

Please register or to comment