Patch "xfrm: don't check the default policy if the policy allows the packet" has been added to the 5.10-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    xfrm: don't check the default policy if the policy allows the packet

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     xfrm-don-t-check-the-default-policy-if-the-policy-al.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 2005cad7067748a15bfbc13b88d61800b7c294a4
Author: Sabrina Dubroca <sd@xxxxxxxxxxxxxxx>
Date:   Tue Apr 4 15:12:16 2023 +0200

    xfrm: don't check the default policy if the policy allows the packet
    
    [ Upstream commit 430cac487400494c19a8b85299e979bb07b4671f ]
    
    The current code doesn't let a simple "allow" policy counteract a
    default policy blocking all incoming packets:
    
        ip x p setdefault in block
        ip x p a src 192.168.2.1/32 dst 192.168.2.2/32 dir in action allow
    
    At this stage, we have an allow policy (with or without transforms)
    for this packet. It doesn't matter what the default policy says, since
    the policy we looked up lets the packet through. The case of a
    blocking policy is already handled separately, so we can remove this
    check.
    
    Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy")
    Signed-off-by: Sabrina Dubroca <sd@xxxxxxxxxxxxxxx>
    Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index d15aa62887de0..8ebe305f6ddd7 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -3677,12 +3677,6 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
 		}
 		xfrm_nr = ti;
 
-		if (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK &&
-		    !xfrm_nr) {
-			XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOSTATES);
-			goto reject;
-		}
-
 		if (npols > 1) {
 			xfrm_tmpl_sort(stp, tpp, xfrm_nr, family);
 			tpp = stp;



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux