From 321fa4292766c96b953f0de930c0241251d7e695 Mon Sep 17 00:00:00 2001 From: Ansis Atteka Date: Thu, 14 Mar 2013 11:53:00 -0700 Subject: [PATCH] ipsec: unset IPSEC_MARK flag from skb_mark after tunnel packet is decapsulated After tunnel packet is unencapsulated we should unset IPsec flag from skb_mark. Otherwise, IPsec policies would be applied one more time on internal interfaces, if there is one. This is especially necessary after we will introduce global, low-priority IPsec drop policy that will make sure that we never let through marked but unencrypted packets. Signed-off-by: Ansis Atteka Issue: 15074 --- ofproto/ofproto-dpif.c | 1 + ofproto/tunnel.c | 3 --- ofproto/tunnel.h | 3 +++ 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c index 0b72013da..d1b9f349f 100644 --- a/ofproto/ofproto-dpif.c +++ b/ofproto/ofproto-dpif.c @@ -5829,6 +5829,7 @@ compose_output_action__(struct action_xlate_ctx *ctx, uint16_t ofp_port, if (out_port != odp_port) { ctx->flow.vlan_tci = htons(0); } + ctx->flow.skb_mark &= ~IPSEC_MARK; } commit_odp_actions(&ctx->flow, &ctx->base_flow, ctx->odp_actions); nl_msg_put_u32(ctx->odp_actions, OVS_ACTION_ATTR_OUTPUT, out_port); diff --git a/ofproto/tunnel.c b/ofproto/tunnel.c index 13d821ce1..8aa7fbea2 100644 --- a/ofproto/tunnel.c +++ b/ofproto/tunnel.c @@ -37,9 +37,6 @@ VLOG_DEFINE_THIS_MODULE(tunnel); -/* skb mark used for IPsec tunnel packets */ -#define IPSEC_MARK 1 - struct tnl_match { ovs_be64 in_key; ovs_be32 ip_src; diff --git a/ofproto/tunnel.h b/ofproto/tunnel.h index acb69a8e0..1b055aef4 100644 --- a/ofproto/tunnel.h +++ b/ofproto/tunnel.h @@ -20,6 +20,9 @@ #include #include "flow.h" +/* skb mark used for IPsec tunnel packets */ +#define IPSEC_MARK 1 + /* Tunnel port emulation layer. * * These functions emulate tunnel virtual ports based on the outer -- 2.43.0