diff options
-rw-r--r-- | sys/netinet6/ipsec.c | 8 | ||||
-rw-r--r-- | sys/netkey/key.c | 22 |
2 files changed, 8 insertions, 22 deletions
diff --git a/sys/netinet6/ipsec.c b/sys/netinet6/ipsec.c index 6f4bd7d..0b276e8 100644 --- a/sys/netinet6/ipsec.c +++ b/sys/netinet6/ipsec.c @@ -3329,6 +3329,14 @@ ipsec6_tunnel_validate(m, off, nxt0, sav) sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, (struct sockaddr *)&isrc, (struct sockaddr *)&idst); + /* + * when there is no suitable inbound policy for the packet of the ipsec + * tunnel mode, the kernel never decapsulate the tunneled packet + * as the ipsec tunnel mode even when the system wide policy is "none". + * then the kernel leaves the generic tunnel module to process this + * packet. if there is no rule of the generic tunnel, the packet + * is rejected and the statistics will be counted up. + */ if (!sp) return 0; key_freesp(sp); diff --git a/sys/netkey/key.c b/sys/netkey/key.c index 734b838..22b437e 100644 --- a/sys/netkey/key.c +++ b/sys/netkey/key.c @@ -577,28 +577,6 @@ key_gettunnel(osrc, odst, isrc, idst) return NULL; } - /* if no SP found, use default policy. */ - if (LIST_FIRST(&sptree[dir]) == NULL) { - switch (isrc->sa_family) { - case PF_INET: - if (ip4_def_policy.policy == IPSEC_POLICY_DISCARD) - return NULL; - ip4_def_policy.refcnt++; - return &ip4_def_policy; -#ifdef INET6 - case PF_INET6: - if (ip6_def_policy.policy == IPSEC_POLICY_DISCARD) - return NULL; - ip6_def_policy.refcnt++; - return &ip6_def_policy; -#endif - default: - ipseclog((LOG_ERR, "invalid protocol family %d\n.", - isrc->sa_family)); - return NULL; - } - } - s = splnet(); /*called from softclock()*/ LIST_FOREACH(sp, &sptree[dir], chain) { if (sp->state == IPSEC_SPSTATE_DEAD) |