diff options
author | Martin Willi <martin@strongswan.org> | 2019-03-26 13:20:43 +0100 |
---|---|---|
committer | Steffen Klassert <steffen.klassert@secunet.com> | 2019-03-27 16:14:05 +0100 |
commit | 025c65e119bf58b610549ca359c9ecc5dee6a8d2 (patch) | |
tree | b8a060c8237b6b965b327946043a11e40eae07bc /include/net/xfrm.h | |
parent | esp4: add length check for UDP encapsulation (diff) | |
download | linux-025c65e119bf58b610549ca359c9ecc5dee6a8d2.tar.xz linux-025c65e119bf58b610549ca359c9ecc5dee6a8d2.zip |
xfrm: Honor original L3 slave device in xfrmi policy lookup
If an xfrmi is associated to a vrf layer 3 master device,
xfrm_policy_check() fails after traffic decapsulation. The input
interface is replaced by the layer 3 master device, and hence
xfrmi_decode_session() can't match the xfrmi anymore to satisfy
policy checking.
Extend ingress xfrmi lookup to honor the original layer 3 slave
device, allowing xfrm interfaces to operate within a vrf domain.
Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces")
Signed-off-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'include/net/xfrm.h')
-rw-r--r-- | include/net/xfrm.h | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 902437dfbce7..c9b0b2b5d672 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -295,7 +295,8 @@ struct xfrm_replay { }; struct xfrm_if_cb { - struct xfrm_if *(*decode_session)(struct sk_buff *skb); + struct xfrm_if *(*decode_session)(struct sk_buff *skb, + unsigned short family); }; void xfrm_if_register_cb(const struct xfrm_if_cb *ifcb); |