git.itanic.dy.fi Git - linux-stable/commit

author	Martin Willi <martin@strongswan.org>
	Tue, 25 Apr 2023 07:46:18 +0000 (09:46 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 24 May 2023 16:36:48 +0000 (17:36 +0100)
commit	288247879f4e7adcbce8a93969e3b48d8944e7a9
tree	c2a7a6ba7bd7b5802321021119efb74a4b364f04	tree \| snapshot
parent	46f1a953545f03cafa76f231c159e6d4d4187c0b	commit \| diff

Revert "Fix XFRM-I support for nested ESP tunnels"

[ Upstream commit 5fc46f94219d1d103ffb5f0832be9da674d85a73 ]

This reverts commit b0355dbbf13c0052931dd14c38c789efed64d3de.

The reverted commit clears the secpath on packets received via xfrm interfaces
to support nested IPsec tunnels. This breaks Netfilter policy matching using
xt_policy in the FORWARD chain, as the secpath is missing during forwarding.
Additionally, Benedict Wong reports that it breaks Transport-in-Tunnel mode.

Fix this regression by reverting the commit until we have a better approach
for nested IPsec tunnels.

Fixes: b0355dbbf13c ("Fix XFRM-I support for nested ESP tunnels")
Link: https://lore.kernel.org/netdev/20230412085615.124791-1-martin@strongswan.org/
Signed-off-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

net/xfrm/xfrm_interface.c		diff \| blob \| history
net/xfrm/xfrm_policy.c		diff \| blob \| history