git.baikalelectronics.ru Git - kernel.git/commit

author	Xin Long <lucien.xin@gmail.com>
	Mon, 22 Jun 2020 08:40:29 +0000 (16:40 +0800)
committer	Steffen Klassert <steffen.klassert@secunet.com>
	Wed, 24 Jun 2020 07:13:13 +0000 (09:13 +0200)
commit	9e8aeab3334c3019b5b14673a15507160489592d
tree	af80bc6678344ec8fd3592d566ac66c268923faf	tree \| snapshot
parent	c84cf98d931f7712d4cbad3a5f41a186bc2b76a3	commit \| diff

xfrm: policy: match with both mark and mask on user interfaces

In commit 7bb851ebe7e1 ("xfrm: fix a warning in xfrm_policy_insert_list"),
it would take 'priority' to make a policy unique, and allow duplicated
policies with different 'priority' to be added, which is not expected
by userland, as Tobias reported in strongswan.

To fix this duplicated policies issue, and also fix the issue in
commit 7bb851ebe7e1 ("xfrm: fix a warning in xfrm_policy_insert_list"),
when doing add/del/get/update on user interfaces, this patch is to change
to look up a policy with both mark and mask by doing:

  mark.v == pol->mark.v && mark.m == pol->mark.m

and leave the check:

  (mark & pol->mark.m) == pol->mark.v

for tx/rx path only.

As the userland expects an exact mark and mask match to manage policies.

v1->v2:
  - make xfrm_policy_mark_match inline and fix the changelog as
    Tobias suggested.

Fixes: 9fa9fe097b70 ("xfrm: Allow user space manipulation of SPD mark")
Fixes: 7bb851ebe7e1 ("xfrm: fix a warning in xfrm_policy_insert_list")
Reported-by: Tobias Brunner <tobias@strongswan.org>
Tested-by: Tobias Brunner <tobias@strongswan.org>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

include/net/xfrm.h		diff \| blob \| history
net/key/af_key.c		diff \| blob \| history
net/xfrm/xfrm_policy.c		diff \| blob \| history
net/xfrm/xfrm_user.c		diff \| blob \| history