Remove PACKET_TAG_IPSEC_IN_DONE mbuf tag lookup and usage of its

security policy. The changed block of code in ip*_ipsec_input() is
called when packet has ESP/AH header. Presence of
PACKET_TAG_IPSEC_IN_DONE mbuf tag in the same time means that
packet was already handled by IPSEC and reinjected in the netisr,
and it has another ESP/AH headers (encrypted twice?).
Since it was already processed by IPSEC code, the AH/ESP headers
was already stripped (and probably outer IP header was stripped too)
and security policy from the tdb_ident was applied to those headers.
It is incorrect to apply this security policy to current headers.

Also make ip_ipsec_input() prototype similar to ip6_ipsec_input().

Obtained from:	Yandex LLC
Sponsored by:	Yandex LLC

1 files changed, 1 insertions, 1 deletions

diff --git a/sys/netinet/ip_ipsec.h b/sys/netinet/ip_ipsec.h
index 2870c11..412b165 100644
--- a/sys/netinet/ip_ipsec.h
+++ b/sys/netinet/ip_ipsec.h
@@ -34,7 +34,7 @@
 
 int	ip_ipsec_filtertunnel(struct mbuf *);
 int	ip_ipsec_fwd(struct mbuf *);
-int	ip_ipsec_input(struct mbuf *);
+int	ip_ipsec_input(struct mbuf *, int);
 int	ip_ipsec_mtu(struct mbuf *, int);
 int	ip_ipsec_output(struct mbuf **, struct inpcb *, int *, int *);
 #endif