ipsec: unset IPSEC_MARK flag from skb_mark after tunnel packet is decapsulated

After tunnel packet is unencapsulated we should unset IPsec flag from skb_mark. Otherwise, IPsec policies would be applied one more time on internal interfaces, if there is one. This is especially necessary after we will introduce global, low-priority IPsec drop policy that will make sure that we never let through marked but unencrypted packets. Signed-off-by: Ansis Atteka <aatteka@nicira.com> Issue: 15074
author: Ansis Atteka <aatteka@nicira.com> 2013-03-14 11:53:00 -0700
committer: Ansis Atteka <aatteka@nicira.com> 2013-03-18 09:21:27 -0700
commit: 321fa4292766c96b953f0de930c0241251d7e695 (patch)
tree: 4a970953471dd8a3ae3cf322c5b1a31e0aca0f3c /ofproto/tunnel.h
parent: fba6bd1d3f5891471daea8bf5da22303c2d889df (diff)
download: openvswitch-321fa4292766c96b953f0de930c0241251d7e695.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/ofproto/tunnel.h b/ofproto/tunnel.h
index acb69a8e0..1b055aef4 100644
--- a/ofproto/tunnel.h
+++ b/ofproto/tunnel.h
@@ -20,6 +20,9 @@
 #include <stdint.h>
 #include "flow.h"
 
+/* skb mark used for IPsec tunnel packets */
+#define IPSEC_MARK 1
+
 /* Tunnel port emulation layer.
  *
  * These functions emulate tunnel virtual ports based on the outer
author	Ansis Atteka <aatteka@nicira.com>	2013-03-14 11:53:00 -0700
committer	Ansis Atteka <aatteka@nicira.com>	2013-03-18 09:21:27 -0700
commit	321fa4292766c96b953f0de930c0241251d7e695 (patch)
tree	4a970953471dd8a3ae3cf322c5b1a31e0aca0f3c /ofproto/tunnel.h
parent	fba6bd1d3f5891471daea8bf5da22303c2d889df (diff)
download	openvswitch-321fa4292766c96b953f0de930c0241251d7e695.tar.gz