[Kernel-packages] [Bug 2024187] Re: xfrm: packets sent trough a raw socket don't match ipsec policies with proto selector
For the record, the patch has been backported in Lunar/Jammy/Focal:
https://lists.ubuntu.com/archives/kernel-team/2023-August/141562.html
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2024187
Title:
xfrm: packets sent trough a raw socket don't match ipsec policies with
proto selector
Status in linux package in Ubuntu:
Expired
Bug description:
[Impact]
When a userland application sends packets through an IPv4 or IPv6 raw
socket, these packets don't match ipsec policies that are configured
with a protocol selector.
The problem has been fixed in linux v6.4 with commit 3632679d9e4f
("ipv{4,6}/raw: fix output xfrm lookup wrt protocol").
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3632679d9e4f
This commit has been backported in linux 5.15.115:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=395d846c61c5
[Test Case]
Configure an ipsec policy with a protocol selector and send ip packets
that match this policy through an IP raw socket.
Example to match the proto icmp:
ip xfrm policy add src 10.100.0.0/24 dst 10.200.0.0/24 proto icmp dir out
tmpl src 10.125.0.1 dst 10.125.0.2 proto esp mode tunnel reqid 1
[Regression Potential]
The patch introduces a new API to fix this problem, thus the
regression potential is low for existing applications.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2024187/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2024187] Re: xfrm: packets sent trough a raw socket don't match ipsec policies with proto selector
[Expired for linux (Ubuntu) because there has been no activity for 60
days.]
** Changed in: linux (Ubuntu)
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2024187
Title:
xfrm: packets sent trough a raw socket don't match ipsec policies with
proto selector
Status in linux package in Ubuntu:
Expired
Bug description:
[Impact]
When a userland application sends packets through an IPv4 or IPv6 raw
socket, these packets don't match ipsec policies that are configured
with a protocol selector.
The problem has been fixed in linux v6.4 with commit 3632679d9e4f
("ipv{4,6}/raw: fix output xfrm lookup wrt protocol").
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3632679d9e4f
This commit has been backported in linux 5.15.115:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=395d846c61c5
[Test Case]
Configure an ipsec policy with a protocol selector and send ip packets
that match this policy through an IP raw socket.
Example to match the proto icmp:
ip xfrm policy add src 10.100.0.0/24 dst 10.200.0.0/24 proto icmp dir out
tmpl src 10.125.0.1 dst 10.125.0.2 proto esp mode tunnel reqid 1
[Regression Potential]
The patch introduces a new API to fix this problem, thus the
regression potential is low for existing applications.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2024187/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2024187] Re: xfrm: packets sent trough a raw socket don't match ipsec policies with proto selector
Any news?
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2024187
Title:
xfrm: packets sent trough a raw socket don't match ipsec policies with
proto selector
Status in linux package in Ubuntu:
Incomplete
Bug description:
[Impact]
When a userland application sends packets through an IPv4 or IPv6 raw
socket, these packets don't match ipsec policies that are configured
with a protocol selector.
The problem has been fixed in linux v6.4 with commit 3632679d9e4f
("ipv{4,6}/raw: fix output xfrm lookup wrt protocol").
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3632679d9e4f
This commit has been backported in linux 5.15.115:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=395d846c61c5
[Test Case]
Configure an ipsec policy with a protocol selector and send ip packets
that match this policy through an IP raw socket.
Example to match the proto icmp:
ip xfrm policy add src 10.100.0.0/24 dst 10.200.0.0/24 proto icmp dir out
tmpl src 10.125.0.1 dst 10.125.0.2 proto esp mode tunnel reqid 1
[Regression Potential]
The patch introduces a new API to fix this problem, thus the
regression potential is low for existing applications.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2024187/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
