diff options
author | Ansis Atteka <aatteka@nicira.com> | 2013-03-14 11:53:00 -0700 |
---|---|---|
committer | Ansis Atteka <aatteka@nicira.com> | 2013-03-18 09:22:46 -0700 |
commit | 840d49ae9e8041a4e5005dec9c51623778c2a6f1 (patch) | |
tree | 6bc63401641fba0aae36c3599c16de20c2e83a02 /ofproto | |
parent | 965b0d4b74c8d2cc73de86273963f1fc7b306e12 (diff) |
ipsec: unset IPSEC_MARK flag from skb_mark after tunnel packet is decapsulated
After tunnel packet is unencapsulated we should unset IPsec flag from
skb_mark.
Otherwise, IPsec policies would be applied one more time on internal
interfaces, if there is one. This is especially necessary after we
will introduce global, low-priority IPsec drop policy that will make
sure that we never let through marked but unencrypted packets.
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
Issue: 15074
Diffstat (limited to 'ofproto')
-rw-r--r-- | ofproto/ofproto-dpif.c | 1 | ||||
-rw-r--r-- | ofproto/tunnel.c | 3 | ||||
-rw-r--r-- | ofproto/tunnel.h | 3 |
3 files changed, 4 insertions, 3 deletions
diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c index ef5fb635..d56b51a9 100644 --- a/ofproto/ofproto-dpif.c +++ b/ofproto/ofproto-dpif.c @@ -5811,6 +5811,7 @@ compose_output_action__(struct action_xlate_ctx *ctx, uint16_t ofp_port, if (out_port != odp_port) { ctx->flow.vlan_tci = htons(0); } + ctx->flow.skb_mark &= ~IPSEC_MARK; } commit_odp_actions(&ctx->flow, &ctx->base_flow, ctx->odp_actions); nl_msg_put_u32(ctx->odp_actions, OVS_ACTION_ATTR_OUTPUT, out_port); diff --git a/ofproto/tunnel.c b/ofproto/tunnel.c index 13d821ce..8aa7fbea 100644 --- a/ofproto/tunnel.c +++ b/ofproto/tunnel.c @@ -37,9 +37,6 @@ VLOG_DEFINE_THIS_MODULE(tunnel); -/* skb mark used for IPsec tunnel packets */ -#define IPSEC_MARK 1 - struct tnl_match { ovs_be64 in_key; ovs_be32 ip_src; diff --git a/ofproto/tunnel.h b/ofproto/tunnel.h index acb69a8e..1b055aef 100644 --- a/ofproto/tunnel.h +++ b/ofproto/tunnel.h @@ -20,6 +20,9 @@ #include <stdint.h> #include "flow.h" +/* skb mark used for IPsec tunnel packets */ +#define IPSEC_MARK 1 + /* Tunnel port emulation layer. * * These functions emulate tunnel virtual ports based on the outer |