* [PATCH ipsec] xfrm: Fix inbound traffic via XFRM interfaces across network namespaces
@ 2019-02-18 9:49 Tobias Brunner
2019-02-19 6:04 ` Steffen Klassert
0 siblings, 1 reply; 2+ messages in thread
From: Tobias Brunner @ 2019-02-18 9:49 UTC (permalink / raw)
To: Steffen Klassert; +Cc: netdev
After moving an XFRM interface to another namespace it stays associated
with the original namespace (net in `struct xfrm_if` and the list keyed
with `xfrmi_net_id`), allowing processes in the new namespace to use
SAs/policies that were created in the original namespace. For instance,
this allows a keying daemon in one namespace to establish IPsec SAs for
other namespaces without processes there having access to the keys or IKE
credentials.
This worked fine for outbound traffic, however, for inbound traffic the
lookup for the interfaces and the policies used the incorrect namespace
(the one the XFRM interface was moved to).
Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces")
Signed-off-by: Tobias Brunner <tobias@strongswan.org>
---
net/xfrm/xfrm_interface.c | 4 ++--
net/xfrm/xfrm_policy.c | 4 +++-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c
index 6be8c7df15bb..dbb3c1945b5c 100644
--- a/net/xfrm/xfrm_interface.c
+++ b/net/xfrm/xfrm_interface.c
@@ -76,10 +76,10 @@ static struct xfrm_if *xfrmi_decode_session(struct sk_buff *skb)
int ifindex;
struct xfrm_if *xi;
- if (!skb->dev)
+ if (!secpath_exists(skb) || !skb->dev)
return NULL;
- xfrmn = net_generic(dev_net(skb->dev), xfrmi_net_id);
+ xfrmn = net_generic(xs_net(xfrm_input_state(skb)), xfrmi_net_id);
ifindex = skb->dev->ifindex;
for_each_xfrmi_rcu(xfrmn->xfrmi[0], xi) {
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index ba0a4048c846..8d1a898d0ba5 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -3314,8 +3314,10 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
if (ifcb) {
xi = ifcb->decode_session(skb);
- if (xi)
+ if (xi) {
if_id = xi->p.if_id;
+ net = xi->net;
+ }
}
rcu_read_unlock();
--
2.17.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH ipsec] xfrm: Fix inbound traffic via XFRM interfaces across network namespaces
2019-02-18 9:49 [PATCH ipsec] xfrm: Fix inbound traffic via XFRM interfaces across network namespaces Tobias Brunner
@ 2019-02-19 6:04 ` Steffen Klassert
0 siblings, 0 replies; 2+ messages in thread
From: Steffen Klassert @ 2019-02-19 6:04 UTC (permalink / raw)
To: Tobias Brunner; +Cc: netdev
On Mon, Feb 18, 2019 at 10:49:39AM +0100, Tobias Brunner wrote:
> After moving an XFRM interface to another namespace it stays associated
> with the original namespace (net in `struct xfrm_if` and the list keyed
> with `xfrmi_net_id`), allowing processes in the new namespace to use
> SAs/policies that were created in the original namespace. For instance,
> this allows a keying daemon in one namespace to establish IPsec SAs for
> other namespaces without processes there having access to the keys or IKE
> credentials.
>
> This worked fine for outbound traffic, however, for inbound traffic the
> lookup for the interfaces and the policies used the incorrect namespace
> (the one the XFRM interface was moved to).
>
> Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces")
> Signed-off-by: Tobias Brunner <tobias@strongswan.org>
Applied, thanks a lot Tobias!
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-02-19 6:04 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-18 9:49 [PATCH ipsec] xfrm: Fix inbound traffic via XFRM interfaces across network namespaces Tobias Brunner
2019-02-19 6:04 ` Steffen Klassert
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).