diff mbox series

[1/7] xfrm: don't check the default policy if the policy allows the packet

Message ID 20230516052405.2677554-2-steffen.klassert@secunet.com (mailing list archive)
State Accepted
Commit 430cac487400494c19a8b85299e979bb07b4671f
Delegated to: Netdev Maintainers
Headers show
Series [1/7] xfrm: don't check the default policy if the policy allows the packet | expand

Checks

Context Check Description
netdev/series_format warning Pull request is its own cover letter; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 20 this patch: 20
netdev/cc_maintainers fail 2 blamed authors not CCed: antony.antony@secunet.com christian.langrock@secunet.com; 4 maintainers not CCed: antony.antony@secunet.com edumazet@google.com pabeni@redhat.com christian.langrock@secunet.com
netdev/build_clang success Errors and warnings before: 8 this patch: 8
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 20 this patch: 20
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 12 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Steffen Klassert May 16, 2023, 5:23 a.m. UTC 
From: Sabrina Dubroca <sd@queasysnail.net>

The current code doesn't let a simple "allow" policy counteract a
default policy blocking all incoming packets:

    ip x p setdefault in block
    ip x p a src 192.168.2.1/32 dst 192.168.2.2/32 dir in action allow

At this stage, we have an allow policy (with or without transforms)
for this packet. It doesn't matter what the default policy says, since
the policy we looked up lets the packet through. The case of a
blocking policy is already handled separately, so we can remove this
check.

Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
 net/xfrm/xfrm_policy.c | 6 ------
 1 file changed, 6 deletions(-)

Comments

patchwork-bot+netdevbpf@kernel.org May 17, 2023, 4 a.m. UTC | #1 
Hello:

This series was applied to netdev/net.git (main)
by Steffen Klassert <steffen.klassert@secunet.com>:

On Tue, 16 May 2023 07:23:59 +0200 you wrote:
> From: Sabrina Dubroca <sd@queasysnail.net>
> 
> The current code doesn't let a simple "allow" policy counteract a
> default policy blocking all incoming packets:
> 
>     ip x p setdefault in block
>     ip x p a src 192.168.2.1/32 dst 192.168.2.2/32 dir in action allow
> 
> [...]

Here is the summary with links:
  - [1/7] xfrm: don't check the default policy if the policy allows the packet
    https://git.kernel.org/netdev/net/c/430cac487400
  - [2/7] xfrm: release all offloaded policy memory
    https://git.kernel.org/netdev/net/c/94b95dfaa814
  - [3/7] xfrm: Fix leak of dev tracker
    https://git.kernel.org/netdev/net/c/ec8f32ad9a65
  - [4/7] Revert "Fix XFRM-I support for nested ESP tunnels"
    https://git.kernel.org/netdev/net/c/5fc46f94219d
  - [5/7] xfrm: Reject optional tunnel/BEET mode templates in outbound policies
    https://git.kernel.org/netdev/net/c/3d776e31c841
  - [6/7] af_key: Reject optional tunnel/BEET mode templates in outbound policies
    https://git.kernel.org/netdev/net/c/cf3128a7aca5
  - [7/7] xfrm: Check if_id in inbound policy/secpath match
    https://git.kernel.org/netdev/net/c/8680407b6f8f

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 5c61ec04b839..62be042f2ebc 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -3712,12 +3712,6 @@  int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
 		}
 		xfrm_nr = ti;
 
-		if (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK &&
-		    !xfrm_nr) {
-			XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOSTATES);
-			goto reject;
-		}
-
 		if (npols > 1) {
 			xfrm_tmpl_sort(stp, tpp, xfrm_nr, family);
 			tpp = stp;