xfrm: fix "disable_policy" flag use when arriving from different devices - kernel/linux.git

diff options

author	Eyal Birger <eyal.birger@gmail.com>	2022-05-13 23:34:02 +0300
committer	Steffen Klassert <steffen.klassert@secunet.com>	2022-05-16 10:31:26 +0300
commit	e6175a2ed1f18bf2f649625bf725e07adcfa6a28 (patch)
tree	6b1e9cc11f5c66e9f71fcb9db966352317eff62c /net/key
parent	79396934e289dbc501316c1d1f975bb4c88ae460 (diff)
download	linux-e6175a2ed1f18bf2f649625bf725e07adcfa6a28.tar.xz

xfrm: fix "disable_policy" flag use when arriving from different devices

In IPv4 setting the "disable_policy" flag on a device means no policy should be enforced for traffic originating from the device. This was implemented by seting the DST_NOPOLICY flag in the dst based on the originating device. However, dsts are cached in nexthops regardless of the originating devices, in which case, the DST_NOPOLICY flag value may be incorrect. Consider the following setup: +------------------------------+ | ROUTER | +-------------+ | +-----------------+ | | ipsec src |----|-|ipsec0 | | +-------------+ | |disable_policy=0 | +----+ | | +-----------------+ |eth1|-|----- +-------------+ | +-----------------+ +----+ | | noipsec src |----|-|eth0 | | +-------------+ | |disable_policy=1 | | | +-----------------+ | +------------------------------+ Where ROUTER has a default route towards eth1. dst entries for traffic arriving from eth0 would have DST_NOPOLICY and would be cached and therefore can be reused by traffic originating from ipsec0, skipping policy check. Fix by setting a IPSKB_NOPOLICY flag in IPCB and observing it instead of the DST in IN/FWD IPv4 policy checks. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Shmulik Ladkani <shmulik.ladkani@gmail.com> Signed-off-by: Eyal Birger <eyal.birger@gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

Diffstat (limited to 'net/key')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: