From patchwork Thu Dec 21 16:32:24 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tobias Brunner <tobias@strongswan.org>
X-Patchwork-Id: 852037
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3z2ckv0hvwz9s81
	for <patchwork-incoming@ozlabs.org>;
	Fri, 22 Dec 2017 03:37:59 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753884AbdLUQh4 (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Thu, 21 Dec 2017 11:37:56 -0500
Received: from sitav-80046.hsr.ch ([152.96.80.46]:39579 "EHLO
	mail.strongswan.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752244AbdLUQhz (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 21 Dec 2017 11:37:55 -0500
X-Greylist: delayed 329 seconds by postgrey-1.27 at vger.kernel.org;
	Thu, 21 Dec 2017 11:37:55 EST
Received: from [152.96.214.205] (unknown [152.96.214.205])
	by mail.strongswan.org (Postfix) with ESMTPSA id 7A16A401D4;
	Thu, 21 Dec 2017 17:32:42 +0100 (CET)
To: davem@davemloft.net
Cc: netdev@vger.kernel.org, Steffen Klassert <steffen.klassert@secunet.com>
From: Tobias Brunner <tobias@strongswan.org>
Subject: [PATCH net-next] ipv6: Reinject IPv6 packets if IPsec policy matches
	after SNAT
Message-ID: <4aeb83c2-bd0d-8a11-39e0-18d3b7cd12ca@strongswan.org>
Date: Thu, 21 Dec 2017 17:32:24 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
	Thunderbird/52.5.0
MIME-Version: 1.0
Content-Language: en-US
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

If SNAT modifies the source address the resulting packet might match
an IPsec policy, reinject the packet if that's the case.

The exact same thing is already done for IPv4.

Signed-off-by: Tobias Brunner <tobias@strongswan.org>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
---
 net/ipv6/ip6_output.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 176d74fb3b4d..c90f02632782 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -138,6 +138,14 @@ static int ip6_finish_output(struct net *net, struct sock *sk, struct sk_buff *s
 		return ret;
 	}
 
+#if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
+	/* Policy lookup after SNAT yielded a new policy */
+	if (skb_dst(skb)->xfrm) {
+		IPCB(skb)->flags |= IPSKB_REROUTED;
+		return dst_output(net, sk, skb);
+	}
+#endif
+
 	if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) ||
 	    dst_allfrag(skb_dst(skb)) ||
 	    (IP6CB(skb)->frag_max_size && skb->len > IP6CB(skb)->frag_max_size))