From patchwork Tue Apr 11 07:25:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Martin Willi X-Patchwork-Id: 13207140 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7D8AFC76196 for ; Tue, 11 Apr 2023 07:35:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229922AbjDKHfl (ORCPT ); Tue, 11 Apr 2023 03:35:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55000 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229896AbjDKHfk (ORCPT ); Tue, 11 Apr 2023 03:35:40 -0400 X-Greylist: delayed 617 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Tue, 11 Apr 2023 00:35:38 PDT Received: from mail.codelabs.ch (mail.codelabs.ch [109.202.192.35]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 25489198C for ; Tue, 11 Apr 2023 00:35:38 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.codelabs.ch (Postfix) with ESMTP id 32676220002; Tue, 11 Apr 2023 09:25:17 +0200 (CEST) Received: from mail.codelabs.ch ([127.0.0.1]) by localhost (fenrir.codelabs.ch [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hsj5Lg_kJoMO; Tue, 11 Apr 2023 09:25:15 +0200 (CEST) Received: from think.wlp.is (unknown [185.12.128.225]) by mail.codelabs.ch (Postfix) with ESMTPSA id A4202220001; Tue, 11 Apr 2023 09:25:15 +0200 (CEST) From: Martin Willi To: Steffen Klassert , Benedict Wong Cc: Herbert Xu , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org Subject: [PATCH ipsec] xfrm: Preserve xfrm interface secpath for packets forwarded Date: Tue, 11 Apr 2023 09:25:02 +0200 Message-Id: <20230411072502.21315-1-martin@strongswan.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org The commit referenced below clears the secpath on packets received via xfrm interfaces to support nested IPsec tunnels. This breaks Netfilter policy matching using xt_policy in the FORWARD chain, as the secpath is missing during forwarding. INPUT matching is not affected, as it is done before secpath reset. A work-around could use XFRM input interface matching for such rules, but this does not work if the XFRM interface is part of a VRF; the Netfilter input interface is replaced by the VRF interface, making a sufficient match for IPsec-protected packets difficult. So instead, limit the secpath reset to packets that are targeting the local host, in the default or a specific VRF. This should allow nested tunnels, but keeps the secpath intact on packets that are passed to Netfilter chains with potential IPsec policy matches. Fixes: b0355dbbf13c ("Fix XFRM-I support for nested ESP tunnels") Signed-off-by: Martin Willi --- include/net/xfrm.h | 10 ++++++++++ net/xfrm/xfrm_policy.c | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 3e1f70e8e424..f16df2f07a83 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1349,6 +1349,16 @@ void xfrm_flowi_addr_get(const struct flowi *fl, } } +static inline bool xfrm_flowi_is_forwarding(struct net *net, + const struct flowi *fl) +{ + if (fl->flowi_oif == LOOPBACK_IFINDEX) + return false; + if (netif_index_is_l3_master(net, fl->flowi_oif)) + return false; + return true; +} + static __inline__ int __xfrm4_state_addr_check(const struct xfrm_state *x, const xfrm_address_t *daddr, const xfrm_address_t *saddr) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 5c61ec04b839..4f49698eb29f 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -3745,7 +3745,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, goto reject; } - if (if_id) + if (if_id && !xfrm_flowi_is_forwarding(net, &fl)) secpath_reset(skb); xfrm_pols_put(pols, npols);