1 files changed, 9 insertions, 7 deletions
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 451088330bbb..22524716fe70 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -44,6 +44,7 @@
 #include <net/arp.h>
 #include <net/ip_fib.h>
 #include <net/rtnetlink.h>
+#include <net/xfrm.h>
 #ifndef CONFIG_IP_MULTIPLE_TABLES
@@ -188,9 +189,9 @@ EXPORT_SYMBOL(inet_dev_addr_type);
 * - check, that packet arrived from expected physical interface.
 * called with rcu_read_lock()
 */
-int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
+int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, u8 tos,
-                        struct net_device *dev, __be32 *spec_dst,
+                        int oif, struct net_device *dev, __be32 *spec_dst,
-                        u32 *itag, u32 mark)
+                        u32 *itag)
 {
        struct in_device *in_dev;
        struct flowi4 fl4;
@@ -202,7 +203,6 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
        fl4.flowi4_oif = 0;
        fl4.flowi4_iif = oif;
-        fl4.flowi4_mark = mark;
        fl4.daddr = src;
        fl4.saddr = dst;
        fl4.flowi4_tos = tos;
@@ -212,10 +212,12 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
        in_dev = __in_dev_get_rcu(dev);
        if (in_dev) {
                no_addr = in_dev->ifa_list == NULL;
-                rpf = IN_DEV_RPFILTER(in_dev);
+                /* Ignore rp_filter for packets protected by IPsec. */
+                rpf = secpath_exists(skb) ? 0 : IN_DEV_RPFILTER(in_dev);
                accept_local = IN_DEV_ACCEPT_LOCAL(in_dev);
-                if (mark && !IN_DEV_SRC_VMARK(in_dev))
+                fl4.flowi4_mark = IN_DEV_SRC_VMARK(in_dev) ? skb->mark : 0;
-                        fl4.flowi4_mark = 0;
        }
        if (in_dev == NULL)

diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c index 451088330bbb..22524716fe70 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c
@@ -44,6 +44,7 @@
44	#include <net/arp.h>	44	#include <net/arp.h>
45	#include <net/ip_fib.h>	45	#include <net/ip_fib.h>
46	#include <net/rtnetlink.h>	46	#include <net/rtnetlink.h>
		47	#include <net/xfrm.h>
47		48
48	#ifndef CONFIG_IP_MULTIPLE_TABLES	49	#ifndef CONFIG_IP_MULTIPLE_TABLES
49		50
@@ -188,9 +189,9 @@ EXPORT_SYMBOL(inet_dev_addr_type);
188	* - check, that packet arrived from expected physical interface.	189	* - check, that packet arrived from expected physical interface.
189	* called with rcu_read_lock()	190	* called with rcu_read_lock()
190	*/	191	*/
191	int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,	192	int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, u8 tos,
192	struct net_device dev, __be32 spec_dst,	193	int oif, struct net_device dev, __be32 spec_dst,
193	u32 *itag, u32 mark)	194	u32 *itag)
194	{	195	{
195	struct in_device *in_dev;	196	struct in_device *in_dev;
196	struct flowi4 fl4;	197	struct flowi4 fl4;
@@ -202,7 +203,6 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
202		203
203	fl4.flowi4_oif = 0;	204	fl4.flowi4_oif = 0;
204	fl4.flowi4_iif = oif;	205	fl4.flowi4_iif = oif;
205	fl4.flowi4_mark = mark;
206	fl4.daddr = src;	206	fl4.daddr = src;
207	fl4.saddr = dst;	207	fl4.saddr = dst;
208	fl4.flowi4_tos = tos;	208	fl4.flowi4_tos = tos;
@@ -212,10 +212,12 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
212	in_dev = __in_dev_get_rcu(dev);	212	in_dev = __in_dev_get_rcu(dev);
213	if (in_dev) {	213	if (in_dev) {
214	no_addr = in_dev->ifa_list == NULL;	214	no_addr = in_dev->ifa_list == NULL;
215	rpf = IN_DEV_RPFILTER(in_dev);	215
		216	/* Ignore rp_filter for packets protected by IPsec. */
		217	rpf = secpath_exists(skb) ? 0 : IN_DEV_RPFILTER(in_dev);
		218
216	accept_local = IN_DEV_ACCEPT_LOCAL(in_dev);	219	accept_local = IN_DEV_ACCEPT_LOCAL(in_dev);
217	if (mark && !IN_DEV_SRC_VMARK(in_dev))	220	fl4.flowi4_mark = IN_DEV_SRC_VMARK(in_dev) ? skb->mark : 0;
218	fl4.flowi4_mark = 0;
219	}	221	}
220		222
221	if (in_dev == NULL)	223	if (in_dev == NULL)