diff options
| author | Xin Long <lucien.xin@gmail.com> | 2020-06-22 16:40:29 +0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-04-15 14:15:07 +0200 |
| commit | 00cdc297e219798a43bf55a8b1b1df6b6285c8e6 (patch) | |
| tree | 0ba16b84d238f000b89a0f177948edc45859d7e9 /include/net | |
| parent | 86be2e7111e20b6b57850e9d203276c89af117da (diff) | |
| download | linux-stable-00cdc297e219798a43bf55a8b1b1df6b6285c8e6.tar.gz linux-stable-00cdc297e219798a43bf55a8b1b1df6b6285c8e6.tar.bz2 linux-stable-00cdc297e219798a43bf55a8b1b1df6b6285c8e6.zip | |
xfrm: policy: match with both mark and mask on user interfaces
commit 4f47e8ab6ab796b5380f74866fa5287aca4dcc58 upstream.
In commit ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list"),
it would take 'priority' to make a policy unique, and allow duplicated
policies with different 'priority' to be added, which is not expected
by userland, as Tobias reported in strongswan.
To fix this duplicated policies issue, and also fix the issue in
commit ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list"),
when doing add/del/get/update on user interfaces, this patch is to change
to look up a policy with both mark and mask by doing:
mark.v == pol->mark.v && mark.m == pol->mark.m
and leave the check:
(mark & pol->mark.m) == pol->mark.v
for tx/rx path only.
As the userland expects an exact mark and mask match to manage policies.
v1->v2:
- make xfrm_policy_mark_match inline and fix the changelog as
Tobias suggested.
Fixes: 295fae568885 ("xfrm: Allow user space manipulation of SPD mark")
Fixes: ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list")
Reported-by: Tobias Brunner <tobias@strongswan.org>
Tested-by: Tobias Brunner <tobias@strongswan.org>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'include/net')
| -rw-r--r-- | include/net/xfrm.h | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h index a8aa2bb74ad6..6b18cd0e511a 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1739,13 +1739,16 @@ int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk, void *); void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net); int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl); -struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark, u32 if_id, - u8 type, int dir, +struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, + const struct xfrm_mark *mark, + u32 if_id, u8 type, int dir, struct xfrm_selector *sel, struct xfrm_sec_ctx *ctx, int delete, int *err); -struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u32 if_id, u8, - int dir, u32 id, int delete, int *err); +struct xfrm_policy *xfrm_policy_byid(struct net *net, + const struct xfrm_mark *mark, u32 if_id, + u8 type, int dir, u32 id, int delete, + int *err); int xfrm_policy_flush(struct net *net, u8 type, bool task_valid); void xfrm_policy_hash_rebuild(struct net *net); u32 xfrm_get_acqseq(void); |