[][kernel][mt7988][crypto][Change xfrm policy check for IPsec decryption path]
[Description]
Change xfrm policy check.
Strongswan will install in, out, and fwd three xfrm policies for
IPsec tunnel mode while installing in and out two xfrm policies for
transport mode. With HW offload, in and fwd policy check can't pass
since sec path length is 0. So if the matched policy is packet
offload and direction is in or fwd, pass the check directly.
[Release-log]
N/A
Change-Id: I90db73d7cca5371d9805d56281ef7cc07f3ddf46
Reviewed-on: https://gerrit.mediatek.inc/c/openwrt/feeds/mtk_openwrt_feeds/+/8276271
diff --git a/target/linux/mediatek/patches-5.4/999-2728-xfrm-extend-packet-mode-to-support-esp-tunnel-mode.patch b/target/linux/mediatek/patches-5.4/999-2728-xfrm-extend-packet-mode-to-support-esp-tunnel-mode.patch
index d41c0f3..17ae470 100644
--- a/target/linux/mediatek/patches-5.4/999-2728-xfrm-extend-packet-mode-to-support-esp-tunnel-mode.patch
+++ b/target/linux/mediatek/patches-5.4/999-2728-xfrm-extend-packet-mode-to-support-esp-tunnel-mode.patch
@@ -33,3 +33,31 @@
if (skb_is_gso(skb))
return xfrm_output_gso(net, sk, skb);
}
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -3703,6 +3703,10 @@ int __xfrm_policy_check(struct sock *sk,
+ }
+ }
+ #endif
++ /* Inbound HW offload packets, pass the check directly */
++ if (pol->xdo.type == XFRM_DEV_OFFLOAD_PACKET &&
++ (pol->xdo.dir == XFRM_DEV_OFFLOAD_IN || pol->xdo.dir == XFRM_DEV_OFFLOAD_FWD))
++ return 1;
+
+ if (pol->action == XFRM_POLICY_ALLOW) {
+ static struct sec_path dummy;
+@@ -3712,6 +3716,14 @@ int __xfrm_policy_check(struct sock *sk,
+ int ti = 0;
+ int i, k;
+
++ /* Strongswan install FWD policy for inbound HW offload
++ * packets. But cannot find corresponding packet offload
++ * state here and will be drop. So, we bypass following
++ * check for FWD policy with acction allow.
++ */
++ if (dir == XFRM_POLICY_FWD)
++ return 1;
++
+ sp = skb_sec_path(skb);
+ if (!sp)
+ sp = &dummy;