diff options
author | bz <bz@FreeBSD.org> | 2008-03-14 16:38:11 +0000 |
---|---|---|
committer | bz <bz@FreeBSD.org> | 2008-03-14 16:38:11 +0000 |
commit | 33dfb1706b9985093bf2f15b13b6d6fcf86e117f (patch) | |
tree | c38b7d05bd49b6aa0f1e85463850a23ad784aabd /sys/netinet6 | |
parent | 1fe21ae27841d6cbf56490b24eb61e21cf7dd03b (diff) | |
download | FreeBSD-src-33dfb1706b9985093bf2f15b13b6d6fcf86e117f.zip FreeBSD-src-33dfb1706b9985093bf2f15b13b6d6fcf86e117f.tar.gz |
Correct IPsec behaviour with a 'use' level in SP but no SA available.
In that case return an continue processing the packet without IPsec.
PR: 121384
MFC after: 5 days
Reported by: Cyrus Rahman (crahman gmail.com)
Tested by: Cyrus Rahman (crahman gmail.com) [slightly older version]
Diffstat (limited to 'sys/netinet6')
-rw-r--r-- | sys/netinet6/ip6_output.c | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index 2336e41..c0b2bd7 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -384,7 +384,14 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt, error = ipsec6_output_trans(&state, nexthdrp, mprev, sp, flags, &needipsectun); m = state.m; - if (error) { + if (error == EJUSTRETURN) { + /* + * We had a SP with a level of 'use' and no SA. We + * will just continue to process the packet without + * IPsec processing. + */ + ; + } else if (error) { /* mbuf is already reclaimed in ipsec6_output_trans. */ m = NULL; switch (error) { @@ -551,7 +558,14 @@ again: m = state.m; ro = (struct route_in6 *)state.ro; dst = (struct sockaddr_in6 *)state.dst; - if (error) { + if (error == EJUSTRETURN) { + /* + * We had a SP with a level of 'use' and no SA. We + * will just continue to process the packet without + * IPsec processing. + */ + ; + } else if (error) { /* mbuf is already reclaimed in ipsec6_output_tunnel. */ m0 = m = NULL; m = NULL; |