[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Ryota is not sure about this, so I'm forwarding my mail to him here. Basically
I would like to add the PR_LASTHDR flag on the CARP and PFsync entries. I will
do so if no one sees a technical reason for not doing so.
-------- Message transféré --------
Sujet : IPsec: PR_LASTHDR
Date : Mon, 5 Mar 2018 16:40:59 +0100
De : Maxime Villard <max%m00nbsd.net@localhost>
Pour : Ryota Ozaki <ozaki-r%netbsd.org@localhost>
Copie à : Kengo NAKAHARA <k-nakahara%iij.ad.jp@localhost>
In in_proto.c, CARP and PFsync do not have PR_LASTHDR set.
Basically, when PR_LASTHDR is set, ipsec_in_reject is called from the IP layer;
when it's not set, we rely on the protocol to call ipsec_in_reject with the PCB.
But CARP and PFsync do not have PCBs, and they do not call ipsec_in_reject
themselves. Since they don't have PR_LASTHDR, it means that ipsec_in_reject
is never called on them.
As a result, a "require" policy may be bypassed, unencrypted packets could be
received and the system would still process them.
I would like to add PR_LASTHDR; do you disagree?
Main Index |
Thread Index |