On Thu, Sep 24, 2020 at 05:43:51PM +1000, Herbert Xu wrote:

On Thu, Sep 24, 2020 at 09:40:26AM +0200, Steffen Klassert wrote:

quoted

This is yet another ipv4 mapped ipv6 address with IPsec socket policy
combination bug, and I'm sure it is not the last one. We could fix this
one by adding another check to match the address family of the policy
and the SA selector, but maybe it is better to think about how this
should work at all.

We can have only one socket policy for each direction and that
policy accepts either ipv4 or ipv6. We treat this ipv4 mapped ipv6
address as ipv4 and pass it down the ipv4 stack, so this dual usage
will not work with a socket policy. Maybe we can require IPV6_V6ONLY
for sockets with policy attached. Thoughts?

I'm looking at the history of this and it used to work at the start
because you'd always interpret the flow object with a family.  This
appears to have been lost with 8444cf712c5f71845cba9dc30d8f530ff0d5ff83. 

I'm sure it can be fixed to work with either ipv4 or ipv6.
If I understand that right, it should be possible to talk
ipv4 and ipv6 through that socket, but the policy will
accept only one address family.

I'm working on a fix.

Thanks!