review.tizen.org Git - platform/kernel/linux-rpi3.git/commit

author	Tobias Brunner <tobias@strongswan.org>
	Mon, 18 Feb 2019 09:49:39 +0000 (10:49 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sat, 23 Mar 2019 19:09:49 +0000 (20:09 +0100)
commit	6ac400b7c5e8c0b2d3b4c60176bd58138b956a58
tree	ac3317933e4ce61f96dd25cb2c766003101f6399	tree \| snapshot
parent	3a532134236151b46af88e63719263c424697f83	commit \| diff

xfrm: Fix inbound traffic via XFRM interfaces across network namespaces

[ Upstream commit 660899ddf06ae8bb5bbbd0a19418b739375430c5 ]

After moving an XFRM interface to another namespace it stays associated
with the original namespace (net in `struct xfrm_if` and the list keyed
with `xfrmi_net_id`), allowing processes in the new namespace to use
SAs/policies that were created in the original namespace. For instance,
this allows a keying daemon in one namespace to establish IPsec SAs for
other namespaces without processes there having access to the keys or IKE
credentials.

This worked fine for outbound traffic, however, for inbound traffic the
lookup for the interfaces and the policies used the incorrect namespace
(the one the XFRM interface was moved to).

Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces")
Signed-off-by: Tobias Brunner <tobias@strongswan.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

net/xfrm/xfrm_interface.c		diff \| blob \| history
net/xfrm/xfrm_policy.c		diff \| blob \| history