]> git.itanic.dy.fi Git - linux-stable/commit
projects / linux-stable / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 571f3dd) | patch
Fix XFRM-I support for nested ESP tunnels
authorBenedict Wong <benedictwong@google.com>
Thu, 5 Jan 2023 21:28:12 +0000 (21:28 +0000)
committerSteffen Klassert <steffen.klassert@secunet.com>
Mon, 9 Jan 2023 06:11:05 +0000 (07:11 +0100)
commitb0355dbbf13c0052931dd14c38c789efed64d3de
tree1dddb76fc46939172baea8b293efbd877e28f0f8tree | snapshot
parent571f3dd0d01b62ec63a4039320dbdbcd54ae8fb0commit | diff
Fix XFRM-I support for nested ESP tunnels

This change adds support for nested IPsec tunnels by ensuring that
XFRM-I verifies existing policies before decapsulating a subsequent
policies. Addtionally, this clears the secpath entries after policies
are verified, ensuring that previous tunnels with no-longer-valid
do not pollute subsequent policy checks.

This is necessary especially for nested tunnels, as the IP addresses,
protocol and ports may all change, thus not matching the previous
policies. In order to ensure that packets match the relevant inbound
templates, the xfrm_policy_check should be done before handing off to
the inner XFRM protocol to decrypt and decapsulate.

Notably, raw ESP/AH packets did not perform policy checks inherently,
whereas all other encapsulated packets (UDP, TCP encapsulated) do policy
checks after calling xfrm_input handling in the respective encapsulation
layer.

Test: Verified with additional Android Kernel Unit tests
Signed-off-by: Benedict Wong <benedictwong@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
net/xfrm/xfrm_interface_core.c diff | blob | history
net/xfrm/xfrm_policy.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.