Ahh, I've never had an IPv4 server without a NAT to test against, I'd presume
this is identical there. The only comparison that I've been able to do  was IPv4
UDP-encap vs IPv6 ESP.

We could instead add the policy check to the ESP input path if that is
the correct place.


On Wed, Sep 21, 2022 at 11:27 PM Steffen Klassert
[off-list ref] wrote:

On Fri, Sep 16, 2022 at 10:44:42PM -0700, Benedict Wong wrote:

quoted

Thanks for the response; apologies for taking a while to re-patch this
and verify.

I think this /almost/ does what we need to. I'm still seeing v6 ESP in v6
ESP tunnels failing; I think it's due to the fact that the IPv6 ESP
codepath does not trigger policy checks in the receive codepath until it
hits the socket, or changes namespace.
Perhaps if we verify policy unconditionally in xfrmi_rcv_cb? combined
with your change above, this should ensure IPv6 ESP also checks policies,
and inside that clear the secpath?

Hm, do you know why this is different to IPv4? IPv4 and IPv6 should
do the same regarding to policy checks.