diff options
author | ae <ae@FreeBSD.org> | 2014-12-11 14:58:55 +0000 |
---|---|---|
committer | ae <ae@FreeBSD.org> | 2014-12-11 14:58:55 +0000 |
commit | 8e6349d4bcea839f004de921402559ba85da1a5e (patch) | |
tree | 89c1e58ca7d3d507929b16d725a5260a8b6e131d /sys/netinet/ip_ipsec.h | |
parent | 1cca983d1bb1daccc62e83498b3dc3f64d78aef0 (diff) | |
download | FreeBSD-src-8e6349d4bcea839f004de921402559ba85da1a5e.zip FreeBSD-src-8e6349d4bcea839f004de921402559ba85da1a5e.tar.gz |
Remove PACKET_TAG_IPSEC_IN_DONE mbuf tag lookup and usage of its
security policy. The changed block of code in ip*_ipsec_input() is
called when packet has ESP/AH header. Presence of
PACKET_TAG_IPSEC_IN_DONE mbuf tag in the same time means that
packet was already handled by IPSEC and reinjected in the netisr,
and it has another ESP/AH headers (encrypted twice?).
Since it was already processed by IPSEC code, the AH/ESP headers
was already stripped (and probably outer IP header was stripped too)
and security policy from the tdb_ident was applied to those headers.
It is incorrect to apply this security policy to current headers.
Also make ip_ipsec_input() prototype similar to ip6_ipsec_input().
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
Diffstat (limited to 'sys/netinet/ip_ipsec.h')
-rw-r--r-- | sys/netinet/ip_ipsec.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/netinet/ip_ipsec.h b/sys/netinet/ip_ipsec.h index 2870c11..412b165 100644 --- a/sys/netinet/ip_ipsec.h +++ b/sys/netinet/ip_ipsec.h @@ -34,7 +34,7 @@ int ip_ipsec_filtertunnel(struct mbuf *); int ip_ipsec_fwd(struct mbuf *); -int ip_ipsec_input(struct mbuf *); +int ip_ipsec_input(struct mbuf *, int); int ip_ipsec_mtu(struct mbuf *, int); int ip_ipsec_output(struct mbuf **, struct inpcb *, int *, int *); #endif |