Commit b2942004 authored by Saurabh Mohan's avatar Saurabh Mohan Committed by David S. Miller
Browse files

ipv4/ip_vti.c: VTI fix post-decryption forwarding 



With the latest kernel there are two things that must be done post decryption
 so that the packet are forwarded.
 1. Remove the mark from the packet. This will cause the packet to not match
 the ipsec-policy again. However doing this causes the post-decryption check to
 fail also and the packet will get dropped. (cat /proc/net/xfrm_stat).
 2. Remove the sp association in the skbuff so that no policy check is done on
 the packet for VTI tunnels.

Due to #2 above we must now do a security-policy check in the vti rcv path
prior to resetting the mark in the skbuff.

Signed-off-by: default avatarSaurabh Mohan <saurabh.mohan@vyatta.com>
Reported-by: default avatarRuben Herold <ruben@puettmann.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 1ba56fb4

net/ipv4/ip_vti.c

+5 −0
Original line number Diff line number Diff line
@@ -338,12 +338,17 @@ static int vti_rcv(struct sk_buff *skb) 
	if (tunnel != NULL) {

		struct pcpu_tstats *tstats;



		if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))

			return -1;



		tstats = this_cpu_ptr(tunnel->dev->tstats);

		u64_stats_update_begin(&tstats->syncp);

		tstats->rx_packets++;

		tstats->rx_bytes += skb->len;

		u64_stats_update_end(&tstats->syncp);



		skb->mark = 0;

		secpath_reset(skb);

		skb->dev = tunnel->dev;

		return 1;

	}

CRA Git | Maintained and supported by SUSTech CRA and CCSE