• Benedict Wong's avatar
    Fix XFRM-I support for nested ESP tunnels · b0355dbb
    Benedict Wong authored
    This change adds support for nested IPsec tunnels by ensuring that
    XFRM-I verifies existing policies before decapsulating a subsequent
    policies. Addtionally, this clears the secpath entries after policies
    are verified, ensuring that previous tunnels with no-longer-valid
    do not pollute subsequent policy checks.
    
    This is necessary especially for nested tunnels, as the IP addresses,
    protocol and ports may all change, thus not matching the previous
    policies. In order to ensure that packets match the relevant inbound
    templates, the xfrm_policy_check should be done before handing off to
    the inner XFRM protocol to decrypt and decapsulate.
    
    Notably, raw ESP/AH packets did not perform policy checks inherently,
    whereas all other encapsulated packets (UDP, TCP encapsulated) do policy
    checks after calling xfrm_input handling in the respective encapsulation
    layer.
    
    Test: Verified with additional Android Kernel Unit tests
    Signed-off-by: default avatarBenedict Wong <benedictwong@google.com>
    Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
    b0355dbb
xfrm_policy.c 109 KB