diff options
author | Luiz Otavio O Souza <luiz@netgate.com> | 2015-09-15 14:32:28 -0500 |
---|---|---|
committer | Luiz Otavio O Souza <luiz@netgate.com> | 2015-10-20 11:53:30 -0500 |
commit | c032ab445cdc3edf18d95638d6cc9d5bb2e638ad (patch) | |
tree | 491062c9b0fc40be57bf5c4db92fc1331352e7a8 /ObsoleteFiles.inc | |
parent | 49ad41cd5317892ea4e11dcb3ea076148a59da6e (diff) | |
download | FreeBSD-src-c032ab445cdc3edf18d95638d6cc9d5bb2e638ad.zip FreeBSD-src-c032ab445cdc3edf18d95638d6cc9d5bb2e638ad.tar.gz |
MFC r275133:
Do not use xform_ipip as decapsulation fallback.
xform_ipip was used as fallback with low priority for IPIP
encapsulated packets that were decrypted. In some cases
it can decapsulate packets, that it shouldn't. This leads to situations,
when wrong configurations are magically working. Also it can propagate
wrong ingress interface and this can break security.
Now we redesigned the IPSEC code and IPIP encapsulation is called directly
from ipsec_output, and decapsulation is done in the ipsec_input with m_striphdr.
Differential Revision: https://reviews.freebsd.org/D1220
MFC after: 1 month
Sponsored by: Yandex LLC
TAG: IPSEC-HEAD
Issue: #4841
Diffstat (limited to 'ObsoleteFiles.inc')
-rw-r--r-- | ObsoleteFiles.inc | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc index 18fb323..6cbf9fb 100644 --- a/ObsoleteFiles.inc +++ b/ObsoleteFiles.inc @@ -47,6 +47,8 @@ OLD_FILES+=usr/include/netinet6/in6_gif.h OLD_FILES+=usr/tests/sbin/mdconfig/legacy_test OLD_FILES+=usr/tests/sbin/mdconfig/mdconfig.test OLD_FILES+=usr/tests/sbin/mdconfig/run.pl +# 20141126: remove xform_ipip decapsulation fallback +OLD_FILES+=usr/include/netipsec/ipip_var.h # 20141107: overhaul if_gre(4) OLD_FILES+=usr/include/netinet/ip_gre.h # 20141028: debug files accidentally installed as directory name |