diff options
author | Luiz Otavio O Souza <luiz@netgate.com> | 2015-09-15 14:53:07 -0500 |
---|---|---|
committer | Luiz Otavio O Souza <luiz@netgate.com> | 2015-10-20 11:58:22 -0500 |
commit | 63036e9e94b6248ea67c2498d2af01cc0e4d1c91 (patch) | |
tree | 6081368bdb82b2e62ab23ab0e02c5c37100a3549 /sys/netipsec | |
parent | 64eaa054d3f2f4071efbe982508c66df80493234 (diff) | |
download | FreeBSD-src-63036e9e94b6248ea67c2498d2af01cc0e4d1c91.zip FreeBSD-src-63036e9e94b6248ea67c2498d2af01cc0e4d1c91.tar.gz |
MFC r275712:
Treat errors when retrieving security policy as policy violation.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
TAG: IPSEC-HEAD
Issue: #4841
Diffstat (limited to 'sys/netipsec')
-rw-r--r-- | sys/netipsec/ipsec.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index df5a7a1..b3e8b6f 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -1264,6 +1264,9 @@ ipsec_in_reject(struct secpolicy *sp, struct mbuf *m) return (0); /* Valid. */ } +/* + * Non zero return value means security policy DISCARD or policy violation. + */ static int ipsec46_in_reject(struct mbuf *m, struct inpcb *inp) { @@ -1283,8 +1286,7 @@ ipsec46_in_reject(struct mbuf *m, struct inpcb *inp) result = ipsec_in_reject(sp, m); KEY_FREESP(&sp); } else { - result = 0; /* XXX Should be panic? - * -> No, there may be error. */ + result = 1; /* treat errors as policy violation */ } return (result); } |