ipsec: unset IPSEC_MARK flag from skb_mark after tunnel packet is decapsulated

After tunnel packet is unencapsulated we should unset IPsec flag from
skb_mark.

Otherwise, IPsec policies would be applied one more time on internal
interfaces, if there is one. This is especially necessary after we
will introduce global, low-priority IPsec drop policy that will make
sure that we never let through marked but unencrypted packets.

Signed-off-by: Ansis Atteka <aatteka@nicira.com>
Issue: 15074

3 files changed, 4 insertions, 3 deletions

diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
index ef5fb635..d56b51a9 100644
--- a/ofproto/ofproto-dpif.c
+++ b/ofproto/ofproto-dpif.c
@@ -5811,6 +5811,7 @@ compose_output_action__(struct action_xlate_ctx *ctx, uint16_t ofp_port,
         if (out_port != odp_port) {
             ctx->flow.vlan_tci = htons(0);
         }
+        ctx->flow.skb_mark &= ~IPSEC_MARK;
     }
     commit_odp_actions(&ctx->flow, &ctx->base_flow, ctx->odp_actions);
     nl_msg_put_u32(ctx->odp_actions, OVS_ACTION_ATTR_OUTPUT, out_port);
diff --git a/ofproto/tunnel.c b/ofproto/tunnel.c
index 13d821ce..8aa7fbea 100644
--- a/ofproto/tunnel.c
+++ b/ofproto/tunnel.c
@@ -37,9 +37,6 @@
 
 VLOG_DEFINE_THIS_MODULE(tunnel);
 
-/* skb mark used for IPsec tunnel packets */
-#define IPSEC_MARK 1
-
 struct tnl_match {
     ovs_be64 in_key;
     ovs_be32 ip_src;
diff --git a/ofproto/tunnel.h b/ofproto/tunnel.h
index acb69a8e..1b055aef 100644
--- a/ofproto/tunnel.h
+++ b/ofproto/tunnel.h
@@ -20,6 +20,9 @@
 #include <stdint.h>
 #include "flow.h"
 
+/* skb mark used for IPsec tunnel packets */
+#define IPSEC_MARK 1
+
 /* Tunnel port emulation layer.
  *
  * These functions emulate tunnel virtual ports based on the outer