When there is no policy configured on the system, the default policy is checked in xfrm_route_forward. However, it was done with the wrong direction (XFRM_POLICY_FWD instead of XFRM_POLICY_OUT). The default policy for XFRM_POLICY_FWD was checked just before, with a call to xfrm[46]_policy_check().
CC: stable@vger.kernel.org Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy") Signed-off-by: Nicolas Dichtel nicolas.dichtel@6wind.com --- include/net/xfrm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 2308210793a0..55e574511af5 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1162,7 +1162,7 @@ static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family) { struct net *net = dev_net(skb->dev);
- if (xfrm_default_allow(net, XFRM_POLICY_FWD)) + if (xfrm_default_allow(net, XFRM_POLICY_OUT)) return !net->xfrm.policy_count[XFRM_POLICY_OUT] || (skb_dst(skb)->flags & DST_NOXFRM) || __xfrm_route_forward(skb, family);
Hi Nicolas,
On Mon, Nov 22, 2021 at 11:33:13 +0100, Nicolas Dichtel wrote:
When there is no policy configured on the system, the default policy is checked in xfrm_route_forward. However, it was done with the wrong direction (XFRM_POLICY_FWD instead of XFRM_POLICY_OUT).
How can I reproduce this? I tried adding fwd block and no policy and that blocked the forwarded traffic. I ran into another issue with fwd block and and tunnel. I will double check. Next week.
Le 25/11/2021 à 07:57, Antony Antony a écrit :
Hi Nicolas,
Hi Antony,
On Mon, Nov 22, 2021 at 11:33:13 +0100, Nicolas Dichtel wrote:
When there is no policy configured on the system, the default policy is checked in xfrm_route_forward. However, it was done with the wrong direction (XFRM_POLICY_FWD instead of XFRM_POLICY_OUT).
How can I reproduce this? I tried adding fwd block and no policy and that blocked the forwarded traffic. I ran into another issue with fwd block and and tunnel. I will double check. Next week.
With the out default policy set to 'block' and no out policy configured, the packets are forwarded. After my patch, packets are blocked:
$ ip xfrm policy getdefault Default policies: in: accept fwd: accept out: block $ ip xfrm policy $
Regards, Nicolas
On Mon, Nov 22, 2021 at 11:33:13AM +0100, Nicolas Dichtel wrote:
When there is no policy configured on the system, the default policy is checked in xfrm_route_forward. However, it was done with the wrong direction (XFRM_POLICY_FWD instead of XFRM_POLICY_OUT). The default policy for XFRM_POLICY_FWD was checked just before, with a call to xfrm[46]_policy_check().
CC: stable@vger.kernel.org Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy") Signed-off-by: Nicolas Dichtel nicolas.dichtel@6wind.com
Applied, thanks Nicolas!
linux-stable-mirror@lists.linaro.org
-
Antony Antony -
Nicolas Dichtel -
Steffen Klassert