From c032ab445cdc3edf18d95638d6cc9d5bb2e638ad Mon Sep 17 00:00:00 2001
From: Luiz Otavio O Souza <luiz@netgate.com>
Date: Tue, 15 Sep 2015 14:32:28 -0500
Subject: MFC r275133:

Do not use xform_ipip as decapsulation fallback.

xform_ipip was used as fallback with low priority for IPIP
encapsulated packets that were decrypted. In some cases
it can decapsulate packets, that it shouldn't. This leads to situations,
when wrong configurations are magically working. Also it can propagate
wrong ingress interface and this can break security.

Now we redesigned the IPSEC code and IPIP encapsulation is called directly
from ipsec_output, and decapsulation is done in the ipsec_input with m_striphdr.

Differential Revision:  https://reviews.freebsd.org/D1220
MFC after:      1 month
Sponsored by:   Yandex LLC

TAG:	IPSEC-HEAD
Issue:	#4841
---
 sys/netipsec/xform.h | 1 -
 1 file changed, 1 deletion(-)

(limited to 'sys/netipsec/xform.h')

diff --git a/sys/netipsec/xform.h b/sys/netipsec/xform.h
index e389cab..9f37c23 100644
--- a/sys/netipsec/xform.h
+++ b/sys/netipsec/xform.h
@@ -109,7 +109,6 @@ extern int xform_init(struct secasvar *sav, int xftype);
 struct cryptoini;
 
 /* XF_IP4 */
-extern	int ip4_input6(struct mbuf **m, int *offp, int proto);
 extern	void ip4_input(struct mbuf *m, int);
 extern	int ipip_output(struct mbuf *, struct ipsecrequest *,
 			struct mbuf **, int, int);
-- 
cgit v1.1