[Kernel-packages] [Bug 2024187] [NEW] xfrm: packets sent trough a raw socket don't match ipsec policies with proto selector

Fri, 16 Jun 2023 05:42:59 -0700 

Public bug reported:

[Impact]

When a userland application sends packets through an IPv4 or IPv6 raw
socket, these packets don't match ipsec policies that are configured
with a protocol selector.

The problem has been fixed in linux v6.4 with commit 3632679d9e4f
("ipv{4,6}/raw: fix output xfrm lookup wrt protocol").

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3632679d9e4f

This commit has been backported in linux 5.15.115:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=395d846c61c5

[Test Case]

Configure an ipsec policy with a protocol selector and send ip packets
that match this policy through an IP raw socket.

Example to match the proto icmp:
ip xfrm policy add src 10.100.0.0/24 dst 10.200.0.0/24 proto icmp dir out tmpl 
src 10.125.0.1 dst 10.125.0.2 proto esp mode tunnel reqid 1

[Regression Potential]

The patch introduces a new API to fix this problem, thus the regression
potential is low for existing applications.

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: Incomplete

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2024187

Title:
  xfrm: packets sent trough a raw socket don't match ipsec policies with
  proto selector

Status in linux package in Ubuntu:
  Incomplete

Bug description:
  [Impact]

  When a userland application sends packets through an IPv4 or IPv6 raw
  socket, these packets don't match ipsec policies that are configured
  with a protocol selector.

  The problem has been fixed in linux v6.4 with commit 3632679d9e4f
  ("ipv{4,6}/raw: fix output xfrm lookup wrt protocol").

  
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3632679d9e4f

  This commit has been backported in linux 5.15.115:
  
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=395d846c61c5

  [Test Case]

  Configure an ipsec policy with a protocol selector and send ip packets
  that match this policy through an IP raw socket.

  Example to match the proto icmp:
  ip xfrm policy add src 10.100.0.0/24 dst 10.200.0.0/24 proto icmp dir out 
tmpl src 10.125.0.1 dst 10.125.0.2 proto esp mode tunnel reqid 1

  [Regression Potential]

  The patch introduces a new API to fix this problem, thus the
  regression potential is low for existing applications.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2024187/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to