tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

IPsec: PR_LASTHDR



Hi,
Ryota is not sure about this, so I'm forwarding my mail to him here. Basically
I would like to add the PR_LASTHDR flag on the CARP and PFsync entries. I will
do so if no one sees a technical reason for not doing so.

Maxime


-------- Message transféré --------
Sujet : IPsec: PR_LASTHDR
Date : Mon, 5 Mar 2018 16:40:59 +0100
De : Maxime Villard <max%m00nbsd.net@localhost>
Pour : Ryota Ozaki <ozaki-r%netbsd.org@localhost>
Copie à : Kengo NAKAHARA <k-nakahara%iij.ad.jp@localhost>

Hi again,
In in_proto.c, CARP and PFsync do not have PR_LASTHDR set.

Basically, when PR_LASTHDR is set, ipsec_in_reject is called from the IP layer;
when it's not set, we rely on the protocol to call ipsec_in_reject with the PCB.

But CARP and PFsync do not have PCBs, and they do not call ipsec_in_reject
themselves. Since they don't have PR_LASTHDR, it means that ipsec_in_reject
is never called on them.

As a result, a "require" policy may be bypassed, unencrypted packets could be
received and the system would still process them.

I would like to add PR_LASTHDR; do you disagree?

Thanks,
Maxime


Home | Main Index | Thread Index | Old Index