| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20240901235737.2757335-3-eyal.birger@gmail.com>
Date: Sun, 1 Sep 2024 16:57:37 -0700
From: Eyal Birger <eyal.birger@...il.com>
To: steffen.klassert@...unet.com,
herbert@...dor.apana.org.au,
davem@...emloft.net,
edumazet@...gle.com,
kuba@...nel.org,
dsahern@...nel.org,
pabeni@...hat.com
Cc: netdev@...r.kernel.org,
devel@...ux-ipsec.org,
Eyal Birger <eyal.birger@...il.com>
Subject: [PATCH ipsec 2/2] xfrm: respect ip protocols rules criteria when performing dst lookups
The series in the "fixes" tag added the ability to consider L4 attributes
in routing rules.
The dst lookup in the xfrm code was not adapted to this change, thus
routing behavior that relies on L4 information is not respected, which
is relevant for UDP encapsulated IPsec traffic.
Pass the ip protocol information when performing dst lookups.
Fixes: a25724b05af0 ("Merge branch 'fib_rules-support-sport-dport-and-proto-match'")
Signed-off-by: Eyal Birger <eyal.birger@...il.com>
---
include/net/xfrm.h | 2 ++
net/ipv4/xfrm4_policy.c | 2 ++
net/ipv6/xfrm6_policy.c | 3 +++
net/xfrm/xfrm_policy.c | 14 ++++++++++++++
4 files changed, 21 insertions(+)
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index c14c2be846f1..2928aeca0abf 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -352,6 +352,8 @@ struct xfrm_dst_lookup_params {
xfrm_address_t *saddr;
xfrm_address_t *daddr;
u32 mark;
+ __u8 ipproto;
+ union flowi_uli uli;
};
struct net_device;
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index ac1a28ef0c56..7e1c2faed1ff 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -30,6 +30,8 @@ static struct dst_entry *__xfrm4_dst_lookup(struct flowi4 *fl4,
fl4->flowi4_mark = params->mark;
if (params->saddr)
fl4->saddr = params->saddr->a4;
+ fl4->flowi4_proto = params->ipproto;
+ fl4->uli = params->uli;
rt = __ip_route_output_key(params->net, fl4);
if (!IS_ERR(rt))
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 2ee18b739f4a..656e831edaec 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -37,6 +37,9 @@ static struct dst_entry *xfrm6_dst_lookup(const struct xfrm_dst_lookup_params *p
if (params->saddr)
memcpy(&fl6.saddr, params->saddr, sizeof(fl6.saddr));
+ fl6.flowi4_proto = params->ipproto;
+ fl6.uli = params->uli;
+
dst = ip6_route_output(params->net, NULL, &fl6);
err = dst->error;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index f89b54da20c8..f93ffb827c69 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -312,6 +312,20 @@ static inline struct dst_entry *xfrm_dst_lookup(struct xfrm_state *x,
params.tos = tos;
params.oif = oif;
params.mark = mark;
+ if (x->encap) {
+ switch (x->encap->encap_type) {
+ case UDP_ENCAP_ESPINUDP:
+ params.ipproto = IPPROTO_UDP;
+ params.uli.ports.sport = x->encap->encap_sport;
+ params.uli.ports.dport = x->encap->encap_dport;
+ break;
+ case TCP_ENCAP_ESPINTCP:
+ params.ipproto = IPPROTO_TCP;
+ params.uli.ports.sport = x->encap->encap_sport;
+ params.uli.ports.dport = x->encap->encap_dport;
+ break;
+ }
+ }
dst = __xfrm_dst_lookup(family, ¶ms);
--
2.34.1
Powered by blists - more mailing lists