xfrm: Ensure policies always checked on XFRM-I input path - wireguard-linux

diff options

author	Benedict Wong <benedictwong@google.com>	2023-05-10 01:30:22 +0000
committer	Steffen Klassert <steffen.klassert@secunet.com>	2023-05-21 09:21:37 +0200
commit	a287f5b0cfc6804c5b12a4be13c7c9fe27869e90 (patch)
tree	82f547c52c0d81a2aad51a72595ce6de683eeeb2 /tools/perf/scripts/python/export-to-sqlite.py
parent	xfrm: Treat already-verified secpath entries as optional (diff)
download	wireguard-linux-a287f5b0cfc6804c5b12a4be13c7c9fe27869e90.tar.xz wireguard-linux-a287f5b0cfc6804c5b12a4be13c7c9fe27869e90.zip

xfrm: Ensure policies always checked on XFRM-I input path

This change adds methods in the XFRM-I input path that ensures that policies are checked prior to processing of the subsequent decapsulated packet, after which the relevant policies may no longer be resolvable (due to changing src/dst/proto/etc). Notably, raw ESP/AH packets did not perform policy checks inherently, whereas all other encapsulated packets (UDP, TCP encapsulated) do policy checks after calling xfrm_input handling in the respective encapsulation layer. Fixes: b0355dbbf13c ("Fix XFRM-I support for nested ESP tunnels") Test: Verified with additional Android Kernel Unit tests Test: Verified against Android CTS Signed-off-by: Benedict Wong <benedictwong@google.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

Diffstat (limited to '')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: