xfrm: packets sent trough a raw socket don't match ipsec policies with proto selector
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| linux (Ubuntu) |
Expired
|
Undecided
|
Unassigned | ||
Bug Description
[Impact]
When a userland application sends packets through an IPv4 or IPv6 raw socket, these packets don't match ipsec policies that are configured with a protocol selector.
The problem has been fixed in linux v6.4 with commit 3632679d9e4f ("ipv{4,6}/raw: fix output xfrm lookup wrt protocol").
https:/
This commit has been backported in linux 5.15.115:
https:/
[Test Case]
Configure an ipsec policy with a protocol selector and send ip packets that match this policy through an IP raw socket.
Example to match the proto icmp:
ip xfrm policy add src 10.100.0.0/24 dst 10.200.0.0/24 proto icmp dir out tmpl src 10.125.0.1 dst 10.125.0.2 proto esp mode tunnel reqid 1
[Regression Potential]
The patch introduces a new API to fix this problem, thus the regression potential is low for existing applications.
| Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote Missing required logs. | #1 |
| Changed in linux (Ubuntu): | |
| status: | New → Incomplete |
| Nicolas Dichtel (nicolas-dichtel) wrote | #2 |
| Launchpad Janitor (janitor) wrote | #3 |
| Changed in linux (Ubuntu): | |
| status: | Incomplete → Expired |
| Nicolas Dichtel (nicolas-dichtel) wrote | #4 |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 2024187
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.