MFC r275712:

Treat errors when retrieving security policy as policy violation. Obtained from: Yandex LLC Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
author: Luiz Otavio O Souza <luiz@netgate.com> 2015-09-15 14:53:07 -0500
committer: Luiz Otavio O Souza <luiz@netgate.com> 2015-10-20 11:58:22 -0500
commit: 63036e9e94b6248ea67c2498d2af01cc0e4d1c91 (patch)
tree: 6081368bdb82b2e62ab23ab0e02c5c37100a3549 /sys/netipsec
parent: 64eaa054d3f2f4071efbe982508c66df80493234 (diff)
download: FreeBSD-src-63036e9e94b6248ea67c2498d2af01cc0e4d1c91.zip
FreeBSD-src-63036e9e94b6248ea67c2498d2af01cc0e4d1c91.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index df5a7a1..b3e8b6f 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -1264,6 +1264,9 @@ ipsec_in_reject(struct secpolicy *sp, struct mbuf *m)
 	return (0);		/* Valid. */
 }
 
+/*
+ * Non zero return value means security policy DISCARD or policy violation.
+ */
 static int
 ipsec46_in_reject(struct mbuf *m, struct inpcb *inp)
 {
@@ -1283,8 +1286,7 @@ ipsec46_in_reject(struct mbuf *m, struct inpcb *inp)
 		result = ipsec_in_reject(sp, m);
 		KEY_FREESP(&sp);
 	} else {
-		result = 0;	/* XXX Should be panic?
-				 * -> No, there may be error. */
+		result = 1;	/* treat errors as policy violation */
 	}
 	return (result);
 }
author	Luiz Otavio O Souza <luiz@netgate.com>	2015-09-15 14:53:07 -0500
committer	Luiz Otavio O Souza <luiz@netgate.com>	2015-10-20 11:58:22 -0500
commit	63036e9e94b6248ea67c2498d2af01cc0e4d1c91 (patch)
tree	6081368bdb82b2e62ab23ab0e02c5c37100a3549 /sys/netipsec
parent	64eaa054d3f2f4071efbe982508c66df80493234 (diff)
download	FreeBSD-src-63036e9e94b6248ea67c2498d2af01cc0e4d1c91.zip FreeBSD-src-63036e9e94b6248ea67c2498d2af01cc0e4d1c91.tar.gz