ipsec: Fix inverted arguments in ipSecReplaceStateIn

ipSecReplaceStateIn was called with the local IP first and the remote IP second but its prototype indicates that the first argument is the remoteIP and the second is the localIP (inverted). This all worked fine because the function would then set the XFRM IN state source to the `localIP` (actually the remote IP). That doesn't make any sense given that the XFRM IN state is for decryption so the source of the packet is the remote IP. This commit fixes it such that the state source is set to the `remoteIP` variable as one would expect. This commit doesn't have any functional changes. Signed-off-by: Paul Chaignon <[email protected]>
jschwinger233 · Jan 19, 2023 · 6bb084a · 6bb084a
1 parent b3a2081
commit 6bb084a
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/pkg/datapath/linux/ipsec/ipsec_linux.go b/pkg/datapath/linux/ipsec/ipsec_linux.go
@@ -138,15 +138,15 @@ func ipSecJoinState(state *netlink.XfrmState, keys *ipSecKey) {
 	state.Reqid = keys.ReqID
 }
 
-func ipSecReplaceStateIn(remoteIP, localIP net.IP, zeroMark bool) (uint8, error) {
-	key := getIPSecKeys(localIP)
+func ipSecReplaceStateIn(localIP, remoteIP net.IP, zeroMark bool) (uint8, error) {
+	key := getIPSecKeys(remoteIP)
 	if key == nil {
 		return 0, fmt.Errorf("IPSec key missing")
 	}
 	state := ipSecNewState()
 	ipSecJoinState(state, key)
-	state.Src = localIP
-	state.Dst = remoteIP
+	state.Src = remoteIP
+	state.Dst = localIP
 	state.Mark = &netlink.XfrmMark{
 		Value: linux_defaults.RouteMarkDecrypt,
 		Mask:  linux_defaults.IPsecMarkMaskIn,