diff options
| author | ume <ume@FreeBSD.org> | 2001-11-06 22:45:29 +0000 |
|---|---|---|
| committer | ume <ume@FreeBSD.org> | 2001-11-06 22:45:29 +0000 |
| commit | a58314c120ff61c5d13a16a3e358cd3a7b2199e1 (patch) | |
| tree | 3e0d659cb39033faa2343f18387688f71e58a780 | |
| parent | 76b3e8adcb3c9cdb8ea9e12cdff6cc0f301d66e1 (diff) | |
| download | FreeBSD-src-a58314c120ff61c5d13a16a3e358cd3a7b2199e1.zip FreeBSD-src-a58314c120ff61c5d13a16a3e358cd3a7b2199e1.tar.gz | |
Fixed the behavior when there is no inbound policy for the ipsec
tunneled packet.
When there is no suitable inbound policy for the packet of the ipsec
tunnel mode, the kernel never decapsulate the tunneled packet
as the ipsec tunnel mode even when the system wide policy is "none".
Then the kernel leaves the generic tunnel module to process this
packet. If there is no rule of the generic tunnel, the packet
is rejected and the statistics will be counted up.
Obtained from: KAME
MFC after: 1 week
| -rw-r--r-- | sys/netinet6/ipsec.c | 8 | ||||
| -rw-r--r-- | sys/netkey/key.c | 22 |
2 files changed, 8 insertions, 22 deletions
diff --git a/sys/netinet6/ipsec.c b/sys/netinet6/ipsec.c index 6f4bd7d..0b276e8 100644 --- a/sys/netinet6/ipsec.c +++ b/sys/netinet6/ipsec.c @@ -3329,6 +3329,14 @@ ipsec6_tunnel_validate(m, off, nxt0, sav) sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, (struct sockaddr *)&isrc, (struct sockaddr *)&idst); + /* + * when there is no suitable inbound policy for the packet of the ipsec + * tunnel mode, the kernel never decapsulate the tunneled packet + * as the ipsec tunnel mode even when the system wide policy is "none". + * then the kernel leaves the generic tunnel module to process this + * packet. if there is no rule of the generic tunnel, the packet + * is rejected and the statistics will be counted up. + */ if (!sp) return 0; key_freesp(sp); diff --git a/sys/netkey/key.c b/sys/netkey/key.c index 734b838..22b437e 100644 --- a/sys/netkey/key.c +++ b/sys/netkey/key.c @@ -577,28 +577,6 @@ key_gettunnel(osrc, odst, isrc, idst) return NULL; } - /* if no SP found, use default policy. */ - if (LIST_FIRST(&sptree[dir]) == NULL) { - switch (isrc->sa_family) { - case PF_INET: - if (ip4_def_policy.policy == IPSEC_POLICY_DISCARD) - return NULL; - ip4_def_policy.refcnt++; - return &ip4_def_policy; -#ifdef INET6 - case PF_INET6: - if (ip6_def_policy.policy == IPSEC_POLICY_DISCARD) - return NULL; - ip6_def_policy.refcnt++; - return &ip6_def_policy; -#endif - default: - ipseclog((LOG_ERR, "invalid protocol family %d\n.", - isrc->sa_family)); - return NULL; - } - } - s = splnet(); /*called from softclock()*/ LIST_FOREACH(sp, &sptree[dir], chain) { if (sp->state == IPSEC_SPSTATE_DEAD) |
