From: Ansis Atteka Date: Thu, 14 Mar 2013 18:53:00 +0000 (-0700) Subject: ipsec: unset IPSEC_MARK flag from skb_mark after tunnel packet is decapsulated X-Git-Tag: sliver-openvswitch-1.10.90-1~10^2~54 X-Git-Url: http://git.onelab.eu/?p=sliver-openvswitch.git;a=commitdiff_plain;h=321fa4292766c96b953f0de930c0241251d7e695 ipsec: unset IPSEC_MARK flag from skb_mark after tunnel packet is decapsulated After tunnel packet is unencapsulated we should unset IPsec flag from skb_mark. Otherwise, IPsec policies would be applied one more time on internal interfaces, if there is one. This is especially necessary after we will introduce global, low-priority IPsec drop policy that will make sure that we never let through marked but unencrypted packets. Signed-off-by: Ansis Atteka Issue: 15074 --- diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c index 0b72013da..d1b9f349f 100644 --- a/ofproto/ofproto-dpif.c +++ b/ofproto/ofproto-dpif.c @@ -5829,6 +5829,7 @@ compose_output_action__(struct action_xlate_ctx *ctx, uint16_t ofp_port, if (out_port != odp_port) { ctx->flow.vlan_tci = htons(0); } + ctx->flow.skb_mark &= ~IPSEC_MARK; } commit_odp_actions(&ctx->flow, &ctx->base_flow, ctx->odp_actions); nl_msg_put_u32(ctx->odp_actions, OVS_ACTION_ATTR_OUTPUT, out_port); diff --git a/ofproto/tunnel.c b/ofproto/tunnel.c index 13d821ce1..8aa7fbea2 100644 --- a/ofproto/tunnel.c +++ b/ofproto/tunnel.c @@ -37,9 +37,6 @@ VLOG_DEFINE_THIS_MODULE(tunnel); -/* skb mark used for IPsec tunnel packets */ -#define IPSEC_MARK 1 - struct tnl_match { ovs_be64 in_key; ovs_be32 ip_src; diff --git a/ofproto/tunnel.h b/ofproto/tunnel.h index acb69a8e0..1b055aef4 100644 --- a/ofproto/tunnel.h +++ b/ofproto/tunnel.h @@ -20,6 +20,9 @@ #include #include "flow.h" +/* skb mark used for IPsec tunnel packets */ +#define IPSEC_MARK 1 + /* Tunnel port emulation layer. * * These functions emulate tunnel virtual ports based on the outer