Re: [PATCH v2 ipsec 2/2] xfrm: Ensure policy checked for nested ESP tunnels

[PATCH v2 ipsec 0/2] xfrm: Fix bugs in stacked XFRM-I tunnels · Benedict Wong <hidden> · 2022-08-24
[PATCH v2 ipsec 1/2] xfrm: Skip checking of already-verified secpath entries · Benedict Wong <hidden> · 2022-08-24
[PATCH v2 ipsec 2/2] xfrm: Ensure policy checked for nested ESP tunnels · Benedict Wong <hidden> · 2022-08-24
Re: [PATCH v2 ipsec 2/2] xfrm: Ensure policy checked for nested ESP tunnels · Steffen Klassert <steffen.klassert@secunet.com> · 2022-08-30
Re: [PATCH v2 ipsec 2/2] xfrm: Ensure policy checked for nested ESP tunnels · Benedict Wong <hidden> · 2022-09-17
Re: [PATCH v2 ipsec 2/2] xfrm: Ensure policy checked for nested ESP tunnels · Steffen Klassert <steffen.klassert@secunet.com> · 2022-09-22
Re: [PATCH v2 ipsec 2/2] xfrm: Ensure policy checked for nested ESP tunnels · Benedict Wong <hidden> · 2022-09-23
Re: [PATCH v2 ipsec 2/2] xfrm: Ensure policy checked for nested ESP tunnels · Steffen Klassert <steffen.klassert@secunet.com> · 2022-09-30

From: Steffen Klassert <steffen.klassert@secunet.com>
Date: 2022-09-30 07:47:56

On Thu, Sep 22, 2022 at 06:33:55PM -0700, Benedict Wong wrote:

Ahh, I've never had an IPv4 server without a NAT to test against, I'd presume
this is identical there. The only comparison that I've been able to do  was IPv4
UDP-encap vs IPv6 ESP.

We could instead add the policy check to the ESP input path if that is
the correct place.

Ok, looks like there is a policy check missing for xfrm_interfaces
when already one (or more) transformations happened.

The best would be to add a separate xfrm_interfaces rcv handler
(in struct xfrm6_protocol/xfrm4_protocol) for esp4/6 and do
the policy check if we have a secpath present.

That should fix it in combination with reseting the secpath in
the policy_check as I did in my previous patch.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help