On Tue, May 30, 2023 at 06:33:12PM +0200, Nicolas Dichtel wrote:
> With a raw socket bound to IPPROTO_RAW (ie with hdrincl enabled), the
> protocol field of the flow structure, build by raw_sendmsg() /
> rawv6_sendmsg()), is set to IPPROTO_RAW. This breaks the ipsec policy
> lookup when some policies are defined with a protocol in the selector.
>
> For ipv6, the sin6_port field from 'struct sockaddr_in6' could be used to
> specify the protocol. Just accept all values for IPPROTO_RAW socket.
>
> For ipv4, the sin_port field of 'struct sockaddr_in' could not be used
> without breaking backward compatibility (the value of this field was never
> checked). Let's add a new kind of control message, so that the userland
> could specify which protocol is used.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> CC: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@xxxxxxxxx>
> Link: https://lore.kernel.org/r/20230522120820.1319391-1-nicolas.dichtel@xxxxxxxxx
> Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx>
> (cherry picked from commit 3632679d9e4f879f49949bb5b050e0de553e4739)
> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@xxxxxxxxx>
> ---
>
> I include the IP_LOCAL_PORT_RANGE define in the backport, to avoid having a hole.
> I can resubmit without this if needed.
No, this is great, thanks!
> This patch can be applied on 5.15, 5.10, 5.4 and 4.19 stable trees also.
Now queued up there, but not to 6.1.y as Sasha took the prereq commit
instead and the original.
thanks,
greg k-h
