Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/netinet6 avoid from applying IPsec transport mode to the...

details:   https://anonhg.NetBSD.org/src/rev/c2ca136c68ab
branches:  trunk
changeset: 536210:c2ca136c68ab
user:      itojun <itojun%NetBSD.org@localhost>
date:      Wed Sep 11 08:15:37 2002 +0000

description:
avoid from applying IPsec transport mode to the packets when the kernel
forwards the packets.
sync w/kame

diffstat:

 sys/netinet6/ip6_forward.c |  21 ++++++++++++++++++---
 1 files changed, 18 insertions(+), 3 deletions(-)

diffs (45 lines):

diff -r 079460af81e4 -r c2ca136c68ab sys/netinet6/ip6_forward.c
--- a/sys/netinet6/ip6_forward.c        Wed Sep 11 07:22:19 2002 +0000
+++ b/sys/netinet6/ip6_forward.c        Wed Sep 11 08:15:37 2002 +0000
@@ -1,5 +1,5 @@
-/*     $NetBSD: ip6_forward.c,v 1.31 2002/06/08 21:22:33 itojun Exp $  */
-/*     $KAME: ip6_forward.c,v 1.74 2001/06/12 23:54:55 itojun Exp $    */
+/*     $NetBSD: ip6_forward.c,v 1.32 2002/09/11 08:15:37 itojun Exp $  */
+/*     $KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $   */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.31 2002/06/08 21:22:33 itojun Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.32 2002/09/11 08:15:37 itojun Exp $");
 
 #include "opt_ipsec.h"
 #include "opt_pfil_hooks.h"
@@ -237,9 +237,24 @@
        }
 
     {
+       struct ipsecrequest *isr = NULL;
        struct ipsec_output_state state;
 
        /*
+        * when the kernel forwards a packet, it is not proper to apply
+        * IPsec transport mode to the packet is not proper.  this check
+        * avoid from this.
+        * at present, if there is even a transport mode SA request in the
+        * security policy, the kernel does not apply IPsec to the packet.
+        * this check is not enough because the following case is valid.
+        *      ipsec esp/tunnel/xxx-xxx/require esp/transport//require;
+        */
+       for (isr = sp->req; isr; isr = isr->next) {
+               if (isr->saidx.mode == IPSEC_MODE_TRANSPORT)
+                       goto skip_ipsec;
+       }
+       
+       /*
         * All the extension headers will become inaccessible
         * (since they can be encrypted).
         * Don't panic, we need no more updates to extension headers
Home | Main Index | Thread Index | Old Index