diff options
author | bz <bz@FreeBSD.org> | 2008-03-14 16:38:11 +0000 |
---|---|---|
committer | bz <bz@FreeBSD.org> | 2008-03-14 16:38:11 +0000 |
commit | 33dfb1706b9985093bf2f15b13b6d6fcf86e117f (patch) | |
tree | c38b7d05bd49b6aa0f1e85463850a23ad784aabd /sys/netipsec/ipsec_output.c | |
parent | 1fe21ae27841d6cbf56490b24eb61e21cf7dd03b (diff) | |
download | FreeBSD-src-33dfb1706b9985093bf2f15b13b6d6fcf86e117f.zip FreeBSD-src-33dfb1706b9985093bf2f15b13b6d6fcf86e117f.tar.gz |
Correct IPsec behaviour with a 'use' level in SP but no SA available.
In that case return an continue processing the packet without IPsec.
PR: 121384
MFC after: 5 days
Reported by: Cyrus Rahman (crahman gmail.com)
Tested by: Cyrus Rahman (crahman gmail.com) [slightly older version]
Diffstat (limited to 'sys/netipsec/ipsec_output.c')
-rw-r--r-- | sys/netipsec/ipsec_output.c | 55 |
1 files changed, 33 insertions, 22 deletions
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index ae7c08b..a8656ef 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -286,17 +286,19 @@ again: goto bad; } sav = isr->sav; - if (sav == NULL) { /* XXX valid return */ + if (sav == NULL) { IPSEC_ASSERT(ipsec_get_reqlevel(isr) == IPSEC_LEVEL_USE, ("no SA found, but required; level %u", ipsec_get_reqlevel(isr))); IPSECREQUEST_UNLOCK(isr); isr = isr->next; - if (isr == NULL) { - /*XXXstatistic??*/ - *error = EINVAL; /*XXX*/ + /* + * If isr is NULL, we found a 'use' policy w/o SA. + * Return w/o error and w/o isr so we can drop out + * and continue w/o IPsec processing. + */ + if (isr == NULL) return isr; - } IPSECREQUEST_LOCK(isr); goto again; } @@ -356,8 +358,11 @@ ipsec4_process_packet( IPSECREQUEST_LOCK(isr); /* insure SA contents don't change */ isr = ipsec_nextisr(m, isr, AF_INET, &saidx, &error); - if (isr == NULL) - goto bad; + if (isr == NULL) { + if (error != 0) + goto bad; + return EJUSTRETURN; + } sav = isr->sav; @@ -581,21 +586,24 @@ ipsec6_output_trans( IPSECREQUEST_LOCK(isr); /* insure SA contents don't change */ isr = ipsec_nextisr(m, isr, AF_INET6, &saidx, &error); if (isr == NULL) { + if (error != 0) { #ifdef notdef - /* XXX should notification be done for all errors ? */ - /* - * Notify the fact that the packet is discarded - * to ourselves. I believe this is better than - * just silently discarding. (jinmei@kame.net) - * XXX: should we restrict the error to TCP packets? - * XXX: should we directly notify sockets via - * pfctlinputs? - */ - icmp6_error(m, ICMP6_DST_UNREACH, - ICMP6_DST_UNREACH_ADMIN, 0); - m = NULL; /* NB: icmp6_error frees mbuf */ + /* XXX should notification be done for all errors ? */ + /* + * Notify the fact that the packet is discarded + * to ourselves. I believe this is better than + * just silently discarding. (jinmei@kame.net) + * XXX: should we restrict the error to TCP packets? + * XXX: should we directly notify sockets via + * pfctlinputs? + */ + icmp6_error(m, ICMP6_DST_UNREACH, + ICMP6_DST_UNREACH_ADMIN, 0); + m = NULL; /* NB: icmp6_error frees mbuf */ #endif - goto bad; + goto bad; + } + return EJUSTRETURN; } error = (*isr->sav->tdb_xform->xf_output)(m, isr, NULL, @@ -712,8 +720,11 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int IPSECREQUEST_LOCK(isr); /* insure SA contents don't change */ isr = ipsec_nextisr(m, isr, AF_INET6, &saidx, &error); - if (isr == NULL) - goto bad; + if (isr == NULL) { + if (error != 0) + goto bad; + return EJUSTRETURN; + } #ifdef DEV_ENC /* pass the mbuf to enc0 for bpf processing */ |