www.infradead.org Git - users/willy/xarray.git/commit

author	Antony Antony <antony.antony@secunet.com>
	Tue, 11 Jun 2024 06:32:15 +0000 (08:32 +0200)
committer	Steffen Klassert <steffen.klassert@secunet.com>
	Mon, 17 Jun 2024 11:53:19 +0000 (13:53 +0200)
commit	15f5fe9e84839dcc9eaa69b08ced9d24cb464369
tree	fd5c645486b0e8677ed0dae3a9c3a8cb5bd1d91f	tree
parent	54fcc6189dfb822eea984fa2b3e477a02447279d	commit \| diff

xfrm: Log input direction mismatch error in one place

Previously, the offload data path decrypted the packet before checking
the direction, leading to error logging and packet dropping. However,
dropped packets wouldn't be visible in tcpdump or audit log.

With this fix, the offload path, upon noticing SA direction mismatch,
will pass the packet to the stack without decrypting it. The L3 layer
will then log the error, audit, and drop ESP without decrypting or
decapsulating it.

This also ensures that the slow path records the error and audit log,
making dropped packets visible in tcpdump.

Fixes: 304b44f0d5a4 ("xfrm: Add dir validation to "in" data path lookup")
Signed-off-by: Antony Antony <antony.antony@secunet.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

net/ipv4/esp4_offload.c		diff \| blob \| history
net/ipv6/esp6_offload.c		diff \| blob \| history
net/xfrm/xfrm_input.c		diff \| blob \| history