git.maquefel.me Git - linux.git/commit

author	Benedict Wong <benedictwong@google.com>
	Wed, 10 May 2023 01:30:21 +0000 (01:30 +0000)
committer	Steffen Klassert <steffen.klassert@secunet.com>
	Sun, 21 May 2023 07:21:37 +0000 (09:21 +0200)
commit	1f8b6df6a997a430b0c48b504638154b520781ad
tree	e74b3e927438f0e59ad49d7e8bb40c18b92f0af9	tree \| snapshot
parent	67caf26d769e0cb17dba182b0acae015c7aa5881	commit \| diff

xfrm: Treat already-verified secpath entries as optional

This change allows inbound traffic through nested IPsec tunnels to
successfully match policies and templates, while retaining the secpath
stack trace as necessary for netfilter policies.

Specifically, this patch marks secpath entries that have already matched
against a relevant policy as having been verified, allowing it to be
treated as optional and skipped after a tunnel decapsulation (during
which the src/dst/proto/etc may have changed, and the correct policy
chain no long be resolvable).

This approach is taken as opposed to the iteration in b0355dbbf13c,
where the secpath was cleared, since that breaks subsequent validations
that rely on the existence of the secpath entries (netfilter policies, or
transport-in-tunnel mode, where policies remain resolvable).

Fixes: b0355dbbf13c ("Fix XFRM-I support for nested ESP tunnels")
Test: Tested against Android Kernel Unit Tests
Test: Tested against Android CTS
Signed-off-by: Benedict Wong <benedictwong@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

include/net/xfrm.h		diff \| blob \| history
net/xfrm/xfrm_input.c		diff \| blob \| history
net/xfrm/xfrm_policy.c		diff \| blob \| history