After tunnel packet is unencapsulated we should unset IPsec flag from
skb_mark.
Otherwise, IPsec policies would be applied one more time on internal
interfaces, if there is one. This is especially necessary after we
will introduce global, low-priority IPsec drop policy that will make
sure that we never let through marked but unencrypted packets.
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
Issue: 15074
if (out_port != odp_port) {
ctx->flow.vlan_tci = htons(0);
}
+ ctx->flow.skb_mark &= ~IPSEC_MARK;
}
commit_odp_actions(&ctx->flow, &ctx->base_flow, ctx->odp_actions);
nl_msg_put_u32(ctx->odp_actions, OVS_ACTION_ATTR_OUTPUT, out_port);
VLOG_DEFINE_THIS_MODULE(tunnel);
-/* skb mark used for IPsec tunnel packets */
-#define IPSEC_MARK 1
-
struct tnl_match {
ovs_be64 in_key;
ovs_be32 ip_src;
#include <stdint.h>
#include "flow.h"
+/* skb mark used for IPsec tunnel packets */
+#define IPSEC_MARK 1
+
/* Tunnel port emulation layer.
*
* These functions emulate tunnel virtual ports based on the outer