Fix XFRM-I support for nested ESP tunnels (b0355dbb) · Commits · Mirrors / github.com / raspberrypi_linux

Commit b0355dbb authored Jan 05, 2023 by

Benedict Wong Committed by Steffen Klassert Jan 09, 2023

Fix XFRM-I support for nested ESP tunnels



This change adds support for nested IPsec tunnels by ensuring that
XFRM-I verifies existing policies before decapsulating a subsequent
policies. Addtionally, this clears the secpath entries after policies
are verified, ensuring that previous tunnels with no-longer-valid
do not pollute subsequent policy checks.

This is necessary especially for nested tunnels, as the IP addresses,
protocol and ports may all change, thus not matching the previous
policies. In order to ensure that packets match the relevant inbound
templates, the xfrm_policy_check should be done before handing off to
the inner XFRM protocol to decrypt and decapsulate.

Notably, raw ESP/AH packets did not perform policy checks inherently,
whereas all other encapsulated packets (UDP, TCP encapsulated) do policy
checks after calling xfrm_input handling in the respective encapsulation
layer.

Test: Verified with additional Android Kernel Unit tests
Signed-off-by: Benedict Wong <benedictwong@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

parent 571f3dd0

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit 8ea03341
· Jul 02, 2023

mentioned in commit 8ea03341

mentioned in commit 8ea03341f78ab916c64b26f283ffb12eb6737f2d

Toggle commit list
mirror @mirror
mentioned in commit c803e916
· Jul 02, 2023

mentioned in commit c803e916

mentioned in commit c803e91600bef2626744734f7ba7d617e1dc19f7

Toggle commit list

Please register or to comment