[PATCH] ipv4/ip_vti.c: VTI fix post-decryption forwarding

[PATCH] ipv4/ip_vti.c: VTI fix post-decryption forwarding

[Saurabh]

With the latest kernel there are two things that must be done post decryption
 so that the packet are forwarded.
 1. Remove the mark from the packet. This will cause the packet to not match
 the ipsec-policy again. However doing this causes the post-decryption check to
 fail also and the packet will get dropped. (cat /proc/net/xfrm_stat).
 2. Remove the sp association in the skbuff so that no policy check is done on
 the packet for VTI tunnels.

Due to #2 above we must now do a security-policy check in the vti rcv path
prior to resetting the mark in the skbuff.

Signed-off-by: Saurabh Mohan <saurabh.mohan@vyatta.com>
Reported-by: Ruben Herold <ruben@puettmann.net>

---
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index 1831092..858fddf 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -338,12 +338,17 @@ static int vti_rcv(struct sk_buff *skb)
 	if (tunnel != NULL) {
 		struct pcpu_tstats *tstats;
 
+		if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
+			return -1;
+
 		tstats = this_cpu_ptr(tunnel->dev->tstats);
 		u64_stats_update_begin(&tstats->syncp);
 		tstats->rx_packets++;
 		tstats->rx_bytes += skb->len;
 		u64_stats_update_end(&tstats->syncp);
 
+		skb->mark = 0;
+		secpath_reset(skb);
 		skb->dev = tunnel->dev;
 		return 1;
 	}

Re: [PATCH] ipv4/ip_vti.c: VTI fix post-decryption forwarding

[David Miller]

From: Saurabh <saurabh.mohan@vyatta.com>
Date: Mon, 12 Nov 2012 14:17:31 -0800

> 
> 
> With the latest kernel there are two things that must be done post decryption
>  so that the packet are forwarded.
>  1. Remove the mark from the packet. This will cause the packet to not match
>  the ipsec-policy again. However doing this causes the post-decryption check to
>  fail also and the packet will get dropped. (cat /proc/net/xfrm_stat).
>  2. Remove the sp association in the skbuff so that no policy check is done on
>  the packet for VTI tunnels.
> 
> Due to #2 above we must now do a security-policy check in the vti rcv path
> prior to resetting the mark in the skbuff.
> 
> Signed-off-by: Saurabh Mohan <saurabh.mohan@vyatta.com>
> Reported-by: Ruben Herold <ruben@puettmann.net>

Please fix your email configuration so that the From: field
properly lists your full name, "Saurabh Mohan" instead of
just plain "Saurabh".

Otherwise the author of the commit will not be set properly
when I apply this.

Thanks.

[PATCH] ipv4/ip_vti.c: VTI fix post-decryption forwarding

[Saurabh Mohan]

With the latest kernel there are two things that must be done post decryption
 so that the packet are forwarded.
 1. Remove the mark from the packet. This will cause the packet to not match
 the ipsec-policy again. However doing this causes the post-decryption check to
 fail also and the packet will get dropped. (cat /proc/net/xfrm_stat).
 2. Remove the sp association in the skbuff so that no policy check is done on
 the packet for VTI tunnels.

Due to #2 above we must now do a security-policy check in the vti rcv path
prior to resetting the mark in the skbuff.

Signed-off-by: Saurabh Mohan <saurabh.mohan@vyatta.com>
Reported-by: Ruben Herold <ruben@puettmann.net>

---
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index 1831092..858fddf 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -338,12 +338,17 @@ static int vti_rcv(struct sk_buff *skb)
 	if (tunnel != NULL) {
 		struct pcpu_tstats *tstats;
 
+		if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
+			return -1;
+
 		tstats = this_cpu_ptr(tunnel->dev->tstats);
 		u64_stats_update_begin(&tstats->syncp);
 		tstats->rx_packets++;
 		tstats->rx_bytes += skb->len;
 		u64_stats_update_end(&tstats->syncp);
 
+		skb->mark = 0;
+		secpath_reset(skb);
 		skb->dev = tunnel->dev;
 		return 1;
 	}

Re: [PATCH] ipv4/ip_vti.c: VTI fix post-decryption forwarding

[David Miller]

From: Saurabh Mohan <saurabh.mohan@vyatta.com>
Date: Wed, 14 Nov 2012 18:08:15 -0800

> 
> 
> With the latest kernel there are two things that must be done post decryption
>  so that the packet are forwarded.
>  1. Remove the mark from the packet. This will cause the packet to not match
>  the ipsec-policy again. However doing this causes the post-decryption check to
>  fail also and the packet will get dropped. (cat /proc/net/xfrm_stat).
>  2. Remove the sp association in the skbuff so that no policy check is done on
>  the packet for VTI tunnels.
> 
> Due to #2 above we must now do a security-policy check in the vti rcv path
> prior to resetting the mark in the skbuff.
> 
> Signed-off-by: Saurabh Mohan <saurabh.mohan@vyatta.com>
> Reported-by: Ruben Herold <ruben@puettmann.net>

Applied, and queued up for -stable, thanks.