git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Martin Willi <martin@strongswan.org>
	Tue, 26 Mar 2019 12:20:43 +0000 (13:20 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sat, 25 May 2019 16:22:22 +0000 (18:22 +0200)
commit	79fad8fd2b7664883d3c3ba9aa88937a56d70940
tree	298ddfe12d4aa1f11d22d55a1f9575c33191c2f4	tree
parent	ff7fa2c801bce4920ef75741283364b133728e8c	commit \| diff

xfrm: Honor original L3 slave device in xfrmi policy lookup

[ Upstream commit 025c65e119bf58b610549ca359c9ecc5dee6a8d2 ]

If an xfrmi is associated to a vrf layer 3 master device,
xfrm_policy_check() fails after traffic decapsulation. The input
interface is replaced by the layer 3 master device, and hence
xfrmi_decode_session() can't match the xfrmi anymore to satisfy
policy checking.

Extend ingress xfrmi lookup to honor the original layer 3 slave
device, allowing xfrm interfaces to operate within a vrf domain.

Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces")
Signed-off-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

include/net/xfrm.h		diff \| blob \| blame \| history
net/xfrm/xfrm_interface.c		diff \| blob \| blame \| history
net/xfrm/xfrm_policy.c		diff \| blob \| blame \| history