git.itanic.dy.fi Git - linux-stable/commit

author	Martin Willi <martin@strongswan.org>
	Tue, 25 Apr 2023 07:46:18 +0000 (09:46 +0200)
committer	Steffen Klassert <steffen.klassert@secunet.com>
	Tue, 25 Apr 2023 07:50:34 +0000 (09:50 +0200)
commit	5fc46f94219d1d103ffb5f0832be9da674d85a73
tree	a499b4983b8b76ca132cb0e35747a64b371a8b0e	tree \| snapshot
parent	ec8f32ad9a65a8cbb465b69e154aaec9d2fe45c4	commit \| diff

Revert "Fix XFRM-I support for nested ESP tunnels"

This reverts commit b0355dbbf13c0052931dd14c38c789efed64d3de.

The reverted commit clears the secpath on packets received via xfrm interfaces
to support nested IPsec tunnels. This breaks Netfilter policy matching using
xt_policy in the FORWARD chain, as the secpath is missing during forwarding.
Additionally, Benedict Wong reports that it breaks Transport-in-Tunnel mode.

Fix this regression by reverting the commit until we have a better approach
for nested IPsec tunnels.

Fixes: b0355dbbf13c ("Fix XFRM-I support for nested ESP tunnels")
Link: https://lore.kernel.org/netdev/20230412085615.124791-1-martin@strongswan.org/
Signed-off-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

net/xfrm/xfrm_interface_core.c		diff \| blob \| history
net/xfrm/xfrm_policy.c		diff \| blob \| history