lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZDZx/Up5cbm1L07s@gauss3.secunet.de> Date: Wed, 12 Apr 2023 10:55:25 +0200 From: Steffen Klassert <steffen.klassert@...unet.com> To: Sabrina Dubroca <sd@...asysnail.net> CC: <netdev@...r.kernel.org>, Christian Langrock <christian.langrock@...unet.com>, Antony Antony <antony.antony@...unet.com> Subject: Re: [PATCH ipsec] xfrm: don't check the default policy if the policy allows the packet On Tue, Apr 04, 2023 at 03:12:16PM +0200, Sabrina Dubroca wrote: > The current code doesn't let a simple "allow" policy counteract a > default policy blocking all incoming packets: > > ip x p setdefault in block > ip x p a src 192.168.2.1/32 dst 192.168.2.2/32 dir in action allow > > At this stage, we have an allow policy (with or without transforms) > for this packet. It doesn't matter what the default policy says, since > the policy we looked up lets the packet through. The case of a > blocking policy is already handled separately, so we can remove this > check. > > Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy") > Signed-off-by: Sabrina Dubroca <sd@...asysnail.net> Applied, thanks a lot Sabrina!
Powered by blists - more mailing lists