lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 15 Jan 2020 20:22:31 +0100
From:   Andrea Mayer <>
To:     "David S. Miller" <>,
        Petr Machata <>,
        Stefano Brivio <>,
        Eric Dumazet <>,
        Taehee Yoo <>,
        Litao jiao <>,
        Roopa Prabhu <>,,
Cc:     Andrea Mayer <>,
        Paolo Lungaroni <>
Subject: [net] vxlan: fix vxlan6_get_route() adding a call to xfrm_lookup_route()

currently IPSEC cannot be used to encrypt/decrypt IPv6 vxlan traffic.
The problem is that the vxlan module uses the vxlan6_get_route()
function to find out the route for transmitting an IPv6 packet, which in
turn uses ip6_dst_lookup() available in ip6_output.c.
Unfortunately ip6_dst_lookup() does not perform any xfrm route lookup,
so the xfrm framework cannot be used with vxlan6.

To fix the issue above, the vxlan6_get_route() function has been patched
by adding a missing call to xfrm_lookup_route(). Doing that, the
vxlan6_get_route() is now capable to lookup a route taking into account
also xfrm policies, if any.

Signed-off-by: Andrea Mayer <>
Signed-off-by: Paolo Lungaroni <>
 drivers/net/vxlan.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index bf04bc2e68c2..bec55a911c4f 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -2306,6 +2306,11 @@ static struct dst_entry *vxlan6_get_route(struct vxlan_dev *vxlan,
+	ndst = xfrm_lookup_route(vxlan->net, ndst, flowi6_to_flowi(&fl6),
+				 sock6->sock->sk, 0);
+	if (IS_ERR_OR_NULL(ndst))
 	if (unlikely(ndst->dev == dev)) {
 		netdev_dbg(dev, "circular route to %pI6\n", daddr);

Powered by blists - more mailing lists