xfrm: Ensure policies always checked on XFRM-I input path - kernel/linux.git

diff options

author	Benedict Wong <benedictwong@google.com>	2023-05-10 04:30:22 +0300
committer	Steffen Klassert <steffen.klassert@secunet.com>	2023-05-21 10:21:37 +0300
commit	a287f5b0cfc6804c5b12a4be13c7c9fe27869e90 (patch)
tree	82f547c52c0d81a2aad51a72595ce6de683eeeb2 /tools/perf/scripts/python/exported-sql-viewer.py
parent	1f8b6df6a997a430b0c48b504638154b520781ad (diff)
download	linux-a287f5b0cfc6804c5b12a4be13c7c9fe27869e90.tar.xz

xfrm: Ensure policies always checked on XFRM-I input path

This change adds methods in the XFRM-I input path that ensures that policies are checked prior to processing of the subsequent decapsulated packet, after which the relevant policies may no longer be resolvable (due to changing src/dst/proto/etc). Notably, raw ESP/AH packets did not perform policy checks inherently, whereas all other encapsulated packets (UDP, TCP encapsulated) do policy checks after calling xfrm_input handling in the respective encapsulation layer. Fixes: b0355dbbf13c ("Fix XFRM-I support for nested ESP tunnels") Test: Verified with additional Android Kernel Unit tests Test: Verified against Android CTS Signed-off-by: Benedict Wong <benedictwong@google.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

Diffstat (limited to 'tools/perf/scripts/python/exported-sql-viewer.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: