lp:~ian-may/ubuntu/+source/linux/+git/bionic

Author: Xin Long
Author Date: 2020-08-10 16:55:45 UTC

xfrm: policy: match with both mark and mask on user interfaces

BugLink: https://bugs.launchpad.net/bugs/1890796

In commit ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list"),
it would take 'priority' to make a policy unique, and allow duplicated
policies with different 'priority' to be added, which is not expected
by userland, as Tobias reported in strongswan.

To fix this duplicated policies issue, and also fix the issue in
commit ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list"),
when doing add/del/get/update on user interfaces, this patch is to change
to look up a policy with both mark and mask by doing:

  mark.v == pol->mark.v && mark.m == pol->mark.m

and leave the check:

  (mark & pol->mark.m) == pol->mark.v

for tx/rx path only.

As the userland expects an exact mark and mask match to manage policies.

v1->v2:
  - make xfrm_policy_mark_match inline and fix the changelog as
    Tobias suggested.

Fixes: 295fae568885 ("xfrm: Allow user space manipulation of SPD mark")
Fixes: ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list")
Reported-by: Tobias Brunner <tobias@strongswan.org>
Tested-by: Tobias Brunner <tobias@strongswan.org>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

(backported from commit 4f47e8ab6ab796b5380f74866fa5287aca4dcc58)
[smb: work around missing if_id parameter and __xfrm_policy_bysel_ctx]
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
Signed-off-by: Ian May <ian.may@canonical.com>

Author: Ian May
Author Date: 2020-04-09 14:49:13 UTC

UBUNTU: Ubuntu-raspi2-4.15.0-1061.65

Signed-off-by: ian may <ian.may@canonical.com>