review.tizen.org Git - platform/kernel/linux-rpi3.git/commit

author	Martin Willi <martin@strongswan.org>
	Tue, 26 Mar 2019 12:20:43 +0000 (13:20 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sat, 25 May 2019 16:23:41 +0000 (18:23 +0200)
commit	6faa620606247d641201cf80c4521d252dc342c6
tree	1d484b96a6f9a7f0009e2c153c4410cb499293a6	tree \| snapshot
parent	3716c26250997e5c78146c873094360a6d644df5	commit \| diff

xfrm: Honor original L3 slave device in xfrmi policy lookup

[ Upstream commit 025c65e119bf58b610549ca359c9ecc5dee6a8d2 ]

If an xfrmi is associated to a vrf layer 3 master device,
xfrm_policy_check() fails after traffic decapsulation. The input
interface is replaced by the layer 3 master device, and hence
xfrmi_decode_session() can't match the xfrmi anymore to satisfy
policy checking.

Extend ingress xfrmi lookup to honor the original layer 3 slave
device, allowing xfrm interfaces to operate within a vrf domain.

Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces")
Signed-off-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

include/net/xfrm.h		diff \| blob \| history
net/xfrm/xfrm_interface.c		diff \| blob \| history
net/xfrm/xfrm_policy.c		diff \| blob \| history