diff options
author | Luiz Otavio O Souza <luiz@netgate.com> | 2015-09-15 14:32:28 -0500 |
---|---|---|
committer | Luiz Otavio O Souza <luiz@netgate.com> | 2015-10-20 11:53:30 -0500 |
commit | c032ab445cdc3edf18d95638d6cc9d5bb2e638ad (patch) | |
tree | 491062c9b0fc40be57bf5c4db92fc1331352e7a8 /sys/netipsec/xform.h | |
parent | 49ad41cd5317892ea4e11dcb3ea076148a59da6e (diff) | |
download | FreeBSD-src-c032ab445cdc3edf18d95638d6cc9d5bb2e638ad.zip FreeBSD-src-c032ab445cdc3edf18d95638d6cc9d5bb2e638ad.tar.gz |
MFC r275133:
Do not use xform_ipip as decapsulation fallback.
xform_ipip was used as fallback with low priority for IPIP
encapsulated packets that were decrypted. In some cases
it can decapsulate packets, that it shouldn't. This leads to situations,
when wrong configurations are magically working. Also it can propagate
wrong ingress interface and this can break security.
Now we redesigned the IPSEC code and IPIP encapsulation is called directly
from ipsec_output, and decapsulation is done in the ipsec_input with m_striphdr.
Differential Revision: https://reviews.freebsd.org/D1220
MFC after: 1 month
Sponsored by: Yandex LLC
TAG: IPSEC-HEAD
Issue: #4841
Diffstat (limited to 'sys/netipsec/xform.h')
-rw-r--r-- | sys/netipsec/xform.h | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/sys/netipsec/xform.h b/sys/netipsec/xform.h index e389cab..9f37c23 100644 --- a/sys/netipsec/xform.h +++ b/sys/netipsec/xform.h @@ -109,7 +109,6 @@ extern int xform_init(struct secasvar *sav, int xftype); struct cryptoini; /* XF_IP4 */ -extern int ip4_input6(struct mbuf **m, int *offp, int proto); extern void ip4_input(struct mbuf *m, int); extern int ipip_output(struct mbuf *, struct ipsecrequest *, struct mbuf **, int, int); |