diff options
author | Luiz Otavio O Souza <luiz@netgate.com> | 2015-09-15 14:37:58 -0500 |
---|---|---|
committer | Luiz Otavio O Souza <luiz@netgate.com> | 2015-10-20 11:54:29 -0500 |
commit | 35579e99c39d480d190f0e29606710433c0d3bf0 (patch) | |
tree | 9553b514373292e4666e14b906e1dcb4a079812b /sys/cam/cam_xpt.c | |
parent | 3c0d181698b9de090cab91e9774478734903f554 (diff) | |
download | FreeBSD-src-35579e99c39d480d190f0e29606710433c0d3bf0.zip FreeBSD-src-35579e99c39d480d190f0e29606710433c0d3bf0.tar.gz |
MFC r275703:
Remove PACKET_TAG_IPSEC_IN_DONE mbuf tag lookup and usage of its
security policy. The changed block of code in ip*_ipsec_input() is
called when packet has ESP/AH header. Presence of
PACKET_TAG_IPSEC_IN_DONE mbuf tag in the same time means that
packet was already handled by IPSEC and reinjected in the netisr,
and it has another ESP/AH headers (encrypted twice?).
Since it was already processed by IPSEC code, the AH/ESP headers
was already stripped (and probably outer IP header was stripped too)
and security policy from the tdb_ident was applied to those headers.
It is incorrect to apply this security policy to current headers.
Also make ip_ipsec_input() prototype similar to ip6_ipsec_input().
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
TAG: IPSEC-HEAD
Issue: #4841
Diffstat (limited to 'sys/cam/cam_xpt.c')
0 files changed, 0 insertions, 0 deletions