After tunnel packet is unencapsulated we should unset IPsec flag from
skb_mark.
Otherwise, IPsec policies would be applied one more time on internal
interfaces, if there is one. This is especially necessary after we
will introduce global, low-priority IPsec drop policy that will make
sure that we never let through marked but unencrypted packets.
Signed-off-by: Ansis Atteka <aatt...@nicira.com>
Issue: 15074
---
ofproto/ofproto-dpif.c | 1 +
ofproto/tunnel.c | 3 ---
ofproto/tunnel.h | 3 +++
3 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
index 421e9d4..5adf0fe 100644
--- a/ofproto/ofproto-dpif.c
+++ b/ofproto/ofproto-dpif.c
@@ -5829,6 +5829,7 @@ compose_output_action__(struct action_xlate_ctx *ctx,
uint16_t ofp_port,
if (out_port != odp_port) {
ctx->flow.vlan_tci = htons(0);
}
+ ctx->flow.skb_mark &= ~IPSEC_MARK;
}
commit_odp_actions(&ctx->flow, &ctx->base_flow, ctx->odp_actions);
nl_msg_put_u32(ctx->odp_actions, OVS_ACTION_ATTR_OUTPUT, out_port);
diff --git a/ofproto/tunnel.c b/ofproto/tunnel.c
index 13d821c..8aa7fbe 100644
--- a/ofproto/tunnel.c
+++ b/ofproto/tunnel.c
@@ -37,9 +37,6 @@
VLOG_DEFINE_THIS_MODULE(tunnel);
-/* skb mark used for IPsec tunnel packets */
-#define IPSEC_MARK 1
-
struct tnl_match {
ovs_be64 in_key;
ovs_be32 ip_src;
diff --git a/ofproto/tunnel.h b/ofproto/tunnel.h
index acb69a8..1b055ae 100644
--- a/ofproto/tunnel.h
+++ b/ofproto/tunnel.h
@@ -20,6 +20,9 @@
#include <stdint.h>
#include "flow.h"
+/* skb mark used for IPsec tunnel packets */
+#define IPSEC_MARK 1
+
/* Tunnel port emulation layer.
*
* These functions emulate tunnel virtual ports based on the outer
--
1.7.10.4
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
