summaryrefslogtreecommitdiffstats
path: root/include/net/xfrm.h
diff options
context:
space:
mode:
authorMartin Willi <martin@strongswan.org>2019-03-26 13:20:43 +0100
committerSteffen Klassert <steffen.klassert@secunet.com>2019-03-27 16:14:05 +0100
commit025c65e119bf58b610549ca359c9ecc5dee6a8d2 (patch)
treeb8a060c8237b6b965b327946043a11e40eae07bc /include/net/xfrm.h
parentesp4: add length check for UDP encapsulation (diff)
downloadlinux-025c65e119bf58b610549ca359c9ecc5dee6a8d2.tar.xz
linux-025c65e119bf58b610549ca359c9ecc5dee6a8d2.zip
xfrm: Honor original L3 slave device in xfrmi policy lookup
If an xfrmi is associated to a vrf layer 3 master device, xfrm_policy_check() fails after traffic decapsulation. The input interface is replaced by the layer 3 master device, and hence xfrmi_decode_session() can't match the xfrmi anymore to satisfy policy checking. Extend ingress xfrmi lookup to honor the original layer 3 slave device, allowing xfrm interfaces to operate within a vrf domain. Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces") Signed-off-by: Martin Willi <martin@strongswan.org> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'include/net/xfrm.h')
-rw-r--r--include/net/xfrm.h3
1 files changed, 2 insertions, 1 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 902437dfbce7..c9b0b2b5d672 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -295,7 +295,8 @@ struct xfrm_replay {
};
struct xfrm_if_cb {
- struct xfrm_if *(*decode_session)(struct sk_buff *skb);
+ struct xfrm_if *(*decode_session)(struct sk_buff *skb,
+ unsigned short family);
};
void xfrm_if_register_cb(const struct xfrm_if_cb *ifcb);