| Message ID | 20211122103313.1331-1-nicolas.dichtel@6wind.com (mailing list archive) |
|---|---|
| State | Awaiting Upstream |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [ipsec] xfrm: fix dflt policy check when there is no policy configured | expand |
Hi Nicolas, On Mon, Nov 22, 2021 at 11:33:13 +0100, Nicolas Dichtel wrote: > When there is no policy configured on the system, the default policy is > checked in xfrm_route_forward. However, it was done with the wrong > direction (XFRM_POLICY_FWD instead of XFRM_POLICY_OUT). How can I reproduce this? I tried adding fwd block and no policy and that blocked the forwarded traffic. I ran into another issue with fwd block and and tunnel. I will double check. Next week.
Le 25/11/2021 à 07:57, Antony Antony a écrit : > Hi Nicolas, Hi Antony, > > On Mon, Nov 22, 2021 at 11:33:13 +0100, Nicolas Dichtel wrote: >> When there is no policy configured on the system, the default policy is >> checked in xfrm_route_forward. However, it was done with the wrong >> direction (XFRM_POLICY_FWD instead of XFRM_POLICY_OUT). > > How can I reproduce this? > I tried adding fwd block and no policy and that blocked the forwarded traffic. > I ran into another issue with fwd block and and tunnel. I will double check. Next week. > With the out default policy set to 'block' and no out policy configured, the packets are forwarded. After my patch, packets are blocked: $ ip xfrm policy getdefault Default policies: in: accept fwd: accept out: block $ ip xfrm policy $ Regards, Nicolas
On Mon, Nov 22, 2021 at 11:33:13AM +0100, Nicolas Dichtel wrote: > When there is no policy configured on the system, the default policy is > checked in xfrm_route_forward. However, it was done with the wrong > direction (XFRM_POLICY_FWD instead of XFRM_POLICY_OUT). > The default policy for XFRM_POLICY_FWD was checked just before, with a call > to xfrm[46]_policy_check(). > > CC: stable@vger.kernel.org > Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy") > Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Applied, thanks Nicolas!
diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 2308210793a0..55e574511af5 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1162,7 +1162,7 @@ static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family) { struct net *net = dev_net(skb->dev); - if (xfrm_default_allow(net, XFRM_POLICY_FWD)) + if (xfrm_default_allow(net, XFRM_POLICY_OUT)) return !net->xfrm.policy_count[XFRM_POLICY_OUT] || (skb_dst(skb)->flags & DST_NOXFRM) || __xfrm_route_forward(skb, family);
When there is no policy configured on the system, the default policy is checked in xfrm_route_forward. However, it was done with the wrong direction (XFRM_POLICY_FWD instead of XFRM_POLICY_OUT). The default policy for XFRM_POLICY_FWD was checked just before, with a call to xfrm[46]_policy_check(). CC: stable@vger.kernel.org Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy") Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> --- include/net/xfrm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)