[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230510013022.2602474-1-benedictwong@google.com>
Date: Wed, 10 May 2023 01:30:20 +0000
From: Benedict Wong <benedictwong@...gle.com>
To: netdev@...r.kernel.org, steffen.klassert@...unet.com,
martin@...ongswan.org
Cc: nharold@...gle.com, benedictwong@...gle.com, evitayan@...gle.com
Subject: Re-adding support for nested IPsec tunnels
This patch set adds support for inbound nested IPsec tunnels within the
same network namespace by incrementally marking verified secpath entries
once policy checks are complete. This allows verification that each layer
of nested tunnels can be verified, even where the outermost headers
change (src/dst/proto/etc).
The previous iteration b0355dbbf13c ("Fix XFRM-I support for nested ESP
tunnels") attempted to clear secpath entries once verified, but that
caused issues with netfilter policy matching (lack of secpath entries to
match against), and transport-in-tunnel mode (where the tunnel policies
are still resolvable, and thus expected).
Notably, all secpath entries (except where optional) must still have the
secpath entries validated, but they may now happen in multiple steps.
Powered by blists - more mailing lists