summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSabrina Dubroca <sd@queasysnail.net>2023-04-04 16:12:16 +0300
committerSteffen Klassert <steffen.klassert@secunet.com>2023-04-06 13:04:31 +0300
commit430cac487400494c19a8b85299e979bb07b4671f (patch)
tree87017aa943c6ed74db012c7ce9c2a89d712a009b
parent24e3fce00c0b557491ff596c0682a29dee6fe848 (diff)
downloadlinux-430cac487400494c19a8b85299e979bb07b4671f.tar.xz
xfrm: don't check the default policy if the policy allows the packet
The current code doesn't let a simple "allow" policy counteract a default policy blocking all incoming packets: ip x p setdefault in block ip x p a src 192.168.2.1/32 dst 192.168.2.2/32 dir in action allow At this stage, we have an allow policy (with or without transforms) for this packet. It doesn't matter what the default policy says, since the policy we looked up lets the packet through. The case of a blocking policy is already handled separately, so we can remove this check. Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy") Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
-rw-r--r--net/xfrm/xfrm_policy.c6
1 files changed, 0 insertions, 6 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 5c61ec04b839..62be042f2ebc 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -3712,12 +3712,6 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
}
xfrm_nr = ti;
- if (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK &&
- !xfrm_nr) {
- XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOSTATES);
- goto reject;
- }
-
if (npols > 1) {
xfrm_tmpl_sort(stp, tpp, xfrm_nr, family);
tpp = stp;