diff options
author | ume <ume@FreeBSD.org> | 2001-10-29 16:29:41 +0000 |
---|---|---|
committer | ume <ume@FreeBSD.org> | 2001-10-29 16:29:41 +0000 |
commit | d30f6152e33559f5b07fdfb3f6ea560153c53f01 (patch) | |
tree | 61178fa9c0bd5f26462f948874d17c64a51d9bd6 /sys/netkey | |
parent | 1587368e88e1df6e281b9686d1f8069a498b4c90 (diff) | |
download | FreeBSD-src-d30f6152e33559f5b07fdfb3f6ea560153c53f01.zip FreeBSD-src-d30f6152e33559f5b07fdfb3f6ea560153c53f01.tar.gz |
System wide policy should be returned when no policy found in the SPD.
The packet was rejected in ipsec[46]_tunnel_validate().
Obtained from: KAME
MFC after: 1 week
Diffstat (limited to 'sys/netkey')
-rw-r--r-- | sys/netkey/key.c | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/sys/netkey/key.c b/sys/netkey/key.c index 6c2e7ed..0ee6b74 100644 --- a/sys/netkey/key.c +++ b/sys/netkey/key.c @@ -570,6 +570,32 @@ key_gettunnel(osrc, odst, isrc, idst) struct sockaddr *os, *od, *is, *id; struct secpolicyindex spidx; + if (isrc->sa_family != idst->sa_family) { + printf("protocol family mismatched %d != %d\n.", + isrc->sa_family, idst->sa_family); + return NULL; + } + + /* if no SP found, use default policy. */ + if (LIST_FIRST(&sptree[dir]) == NULL) { + switch (isrc->sa_family) { + case PF_INET: + if (ip4_def_policy.policy == IPSEC_POLICY_DISCARD) + return NULL; + ip4_def_policy.refcnt++; + return &ip4_def_policy; + case PF_INET6: + if (ip6_def_policy.policy == IPSEC_POLICY_DISCARD) + return NULL; + ip6_def_policy.refcnt++; + return &ip6_def_policy; + default: + printf("invalid protocol family %d\n.", + isrc->sa_family); + return NULL; + } + } + s = splnet(); /*called from softclock()*/ LIST_FOREACH(sp, &sptree[dir], chain) { if (sp->state == IPSEC_SPSTATE_DEAD) |