On Wed, Sep 07, 2016 at 08:40:38PM +0200, thomas.zeitlhofer+l...@ze-it.at wrote: > In case of inter address family tunneling (IPv6 over vti4 or IPv4 over > vti6), the inbound policy checks in vti_rcv_cb() and vti6_rcv_cb() are > using the wrong address family. As a result, all inbound inter address > family traffic is dropped. > > Use the xfrm_ip2inner_mode() helper, as done in xfrm_input() (i.e., also > increment LINUX_MIB_XFRMINSTATEMODEERROR in case of error), to select the > inner_mode that contains the right address family for the inbound policy > checks. > > Signed-off-by: Thomas Zeitlhofer <thomas.zeitlhofer+l...@ze-it.at> > --- > > Notes: > v2: implement review comments from Steffen (thanks for the reply): > > - return -EINVAL in case of error > > - increment LINUX_MIB_XFRMINSTATEMODEERROR in case of error > > Just to point that out, in case there are arguments against it: > this is done in the namespace of skb->dev and not in the > t(unnel)?->net namespace.
This is ok because the states are configured in that namespace. I've applied this to the ipsec tree, thanks a lot!
