Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp6876795ybl; Wed, 15 Jan 2020 11:38:35 -0800 (PST) X-Google-Smtp-Source: APXvYqxpzAaEWTZkABZwWePz3zUGoYOti9Z2U2zFu2zqzCD7eENL+1SPqKZ8FkhzqOK9UtD+hmvA X-Received: by 2002:a05:6830:4c2:: with SMTP id s2mr4025845otd.144.1579117115114; Wed, 15 Jan 2020 11:38:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579117115; cv=none; d=google.com; s=arc-20160816; b=jd8cenB7rFqJ/3oOj+w5IqSgYL56zaTpipRiYYIxwTHwLfKf8N/Yk3IRngfrQcHUyT lvdErLnHUQJevosXi+bYFUMUUYB9qZ6nMfFmN5dY0MoXCQjmB0VTFNSQV6y5ZWyrHSdp GvdzcL3XZaNEZAVDIqcro6HjnbsaNb1BIGhMCc1DkSsZU+kHXNanCBK4E21ioSXlm5Rw QV29TXYGKGmNXI7VAImBwrsSGem1Cc/kbNj9YA9EWZVcIobZ5FH6U+hpbFTdOPzXCfrf L8web6JRzEuJIfK+t6fUFhWLDWm/PVf1sheXGM4FBQon4COjWn0kGLQeIvCi1TQAnDUH 8nsw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=c16ifDQqUh7ts4l2KkGz2TUFUcM/u+d9D4xr7G90GWs=; b=riHKWuyG67biDspMw+CdLFZai2NHZ0UqlN8N8KZjJ3afzGQSekAn+T5bT3r0koYqBa q0zHTWdz3Kfz/jIqPqpmxxlPf5eBOeUdVGezx6yN+2PiY4jEYJ3SPJPI0cBgLXvoKq9l RRLwLK7ESO9f5QTvTxIqkA1qjZFvmbmyFBnmbluiLMNuEKQ0wmPgc+NDeFwfEtpGFCnm j6kdcuN+cBWnaYxVYV+Gv9fQVjlD+TvFyp3EouOsrE/cMIQjXZwdunhfN0U570fnPUXz tIlMeXQ9/y+C7tVxYtY2EvqdkHzYLR3tQgH3wdtgDDGqRP0DPTlEzlpUiDIK4jSToQFM bxXw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=uniroma2.it Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f25si11208647otl.36.2020.01.15.11.38.22; Wed, 15 Jan 2020 11:38:35 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=uniroma2.it Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729138AbgAOThX (ORCPT + 99 others); Wed, 15 Jan 2020 14:37:23 -0500 Received: from smtp.uniroma2.it ([160.80.6.23]:35105 "EHLO smtp.uniroma2.it" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726310AbgAOThW (ORCPT ); Wed, 15 Jan 2020 14:37:22 -0500 X-Greylist: delayed 831 seconds by postgrey-1.27 at vger.kernel.org; Wed, 15 Jan 2020 14:37:21 EST Received: from localhost.localdomain ([160.80.103.126]) by smtp-2015.uniroma2.it (8.14.4/8.14.4/Debian-8) with ESMTP id 00FJN41Y007665 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 15 Jan 2020 20:23:05 +0100 From: Andrea Mayer To: "David S. Miller" , Petr Machata , Stefano Brivio , Eric Dumazet , Taehee Yoo , Litao jiao , Roopa Prabhu , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Andrea Mayer , Paolo Lungaroni Subject: [net] vxlan: fix vxlan6_get_route() adding a call to xfrm_lookup_route() Date: Wed, 15 Jan 2020 20:22:31 +0100 Message-Id: <20200115192231.3005-1-andrea.mayer@uniroma2.it> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Virus-Scanned: clamav-milter 0.100.0 at smtp-2015 X-Virus-Status: Clean Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org currently IPSEC cannot be used to encrypt/decrypt IPv6 vxlan traffic. The problem is that the vxlan module uses the vxlan6_get_route() function to find out the route for transmitting an IPv6 packet, which in turn uses ip6_dst_lookup() available in ip6_output.c. Unfortunately ip6_dst_lookup() does not perform any xfrm route lookup, so the xfrm framework cannot be used with vxlan6. To fix the issue above, the vxlan6_get_route() function has been patched by adding a missing call to xfrm_lookup_route(). Doing that, the vxlan6_get_route() is now capable to lookup a route taking into account also xfrm policies, if any. Signed-off-by: Andrea Mayer Signed-off-by: Paolo Lungaroni --- drivers/net/vxlan.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c index bf04bc2e68c2..bec55a911c4f 100644 --- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c @@ -2306,6 +2306,11 @@ static struct dst_entry *vxlan6_get_route(struct vxlan_dev *vxlan, return ERR_PTR(-ENETUNREACH); } + ndst = xfrm_lookup_route(vxlan->net, ndst, flowi6_to_flowi(&fl6), + sock6->sock->sk, 0); + if (IS_ERR_OR_NULL(ndst)) + return ERR_PTR(-ENETUNREACH); + if (unlikely(ndst->dev == dev)) { netdev_dbg(dev, "circular route to %pI6\n", daddr); dst_release(ndst); -- 2.20.1