On Tue, Mar 26, 2019 at 01:20:43PM +0100, Martin Willi wrote:
> If an xfrmi is associated to a vrf layer 3 master device,
> xfrm_policy_check() fails after traffic decapsulation. The input
> interface is replaced by the layer 3 master device, and hence
> xfrmi_decode_session() can't match the xfrmi anymore to satisfy
> policy checking.
>
> Extend ingress xfrmi lookup to honor the original layer 3 slave
> device, allowing xfrm interfaces to operate within a vrf domain.
>
> Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces")
> Signed-off-by: Martin Willi <[email protected]>
Applied, thanks a lot Martin!
