diff options
| author | Martin Willi <martin@strongswan.org> | 2023-04-25 09:46:18 +0200 |
|---|---|---|
| committer | Steffen Klassert <steffen.klassert@secunet.com> | 2023-04-25 09:50:34 +0200 |
| commit | 5fc46f94219d1d103ffb5f0832be9da674d85a73 (patch) | |
| tree | a499b4983b8b76ca132cb0e35747a64b371a8b0e /net/xfrm/xfrm_policy.c | |
| parent | xfrm: Fix leak of dev tracker (diff) | |
| download | linux-5fc46f94219d1d103ffb5f0832be9da674d85a73.tar.xz linux-5fc46f94219d1d103ffb5f0832be9da674d85a73.zip | |
Revert "Fix XFRM-I support for nested ESP tunnels"
This reverts commit b0355dbbf13c0052931dd14c38c789efed64d3de.
The reverted commit clears the secpath on packets received via xfrm interfaces
to support nested IPsec tunnels. This breaks Netfilter policy matching using
xt_policy in the FORWARD chain, as the secpath is missing during forwarding.
Additionally, Benedict Wong reports that it breaks Transport-in-Tunnel mode.
Fix this regression by reverting the commit until we have a better approach
for nested IPsec tunnels.
Fixes: b0355dbbf13c ("Fix XFRM-I support for nested ESP tunnels")
Link: https://lore.kernel.org/netdev/20230412085615.124791-1-martin@strongswan.org/
Signed-off-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'net/xfrm/xfrm_policy.c')
| -rw-r--r-- | net/xfrm/xfrm_policy.c | 3 |
1 files changed, 0 insertions, 3 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 62be042f2ebc..21a3a1cd3d6d 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -3739,9 +3739,6 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, goto reject; } - if (if_id) - secpath_reset(skb); - xfrm_pols_put(pols, npols); return 1; } |