mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-24 11:29:10 +00:00
Strip IP header only when we act in tunnel mode.
MFC after: 1 week Sponsored by: Yandex LLC
This commit is contained in:
parent
ab2164e0b5
commit
612faae7a2
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=274466
@ -671,8 +671,8 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
|
|||||||
ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
|
ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
|
||||||
|
|
||||||
/* Save protocol */
|
/* Save protocol */
|
||||||
prot = 0;
|
m_copydata(m, protoff, 1, &nxt8);
|
||||||
m_copydata(m, protoff, 1, (unsigned char *) &prot);
|
prot = nxt8;
|
||||||
|
|
||||||
#ifdef DEV_ENC
|
#ifdef DEV_ENC
|
||||||
if_inc_counter(encif, IFCOUNTER_IPACKETS, 1);
|
if_inc_counter(encif, IFCOUNTER_IPACKETS, 1);
|
||||||
@ -684,9 +684,47 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
|
|||||||
return (error);
|
return (error);
|
||||||
#endif /* DEV_ENC */
|
#endif /* DEV_ENC */
|
||||||
|
|
||||||
|
/* IPv6-in-IP encapsulation */
|
||||||
|
if (prot == IPPROTO_IPV6 &&
|
||||||
|
saidx->mode != IPSEC_MODE_TRANSPORT) {
|
||||||
|
if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
|
||||||
|
IPSEC_ISTAT(sproto, hdrops);
|
||||||
|
error = EINVAL;
|
||||||
|
goto bad;
|
||||||
|
}
|
||||||
|
/* ip6n will now contain the inner IPv6 header. */
|
||||||
|
m_striphdr(m, 0, skip);
|
||||||
|
skip = 0;
|
||||||
|
#ifdef notyet
|
||||||
|
/*
|
||||||
|
* Check that the inner source address is the same as
|
||||||
|
* the proxy address, if available.
|
||||||
|
*/
|
||||||
|
if ((saidx->proxy.sa.sa_family == AF_INET6 &&
|
||||||
|
!IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) &&
|
||||||
|
!IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src,
|
||||||
|
&saidx->proxy.sin6.sin6_addr)) ||
|
||||||
|
(saidx->proxy.sa.sa_family != AF_INET6 &&
|
||||||
|
saidx->proxy.sa.sa_family != 0)) {
|
||||||
|
|
||||||
|
DPRINTF(("%s: inner source address %s doesn't "
|
||||||
|
"correspond to expected proxy source %s, "
|
||||||
|
"SA %s/%08lx\n", __func__,
|
||||||
|
ip6_sprintf(ip6buf, &ip6n.ip6_src),
|
||||||
|
ipsec_address(&saidx->proxy),
|
||||||
|
ipsec_address(&saidx->dst),
|
||||||
|
(u_long) ntohl(sav->spi)));
|
||||||
|
|
||||||
|
IPSEC_ISTAT(sproto, pdrops);
|
||||||
|
error = EACCES;
|
||||||
|
goto bad;
|
||||||
|
}
|
||||||
|
#endif /* notyet */
|
||||||
|
}
|
||||||
#ifdef INET
|
#ifdef INET
|
||||||
/* IP-in-IP encapsulation */
|
/* IP-in-IP encapsulation */
|
||||||
if (prot == IPPROTO_IPIP) {
|
else if (prot == IPPROTO_IPIP &&
|
||||||
|
saidx->mode != IPSEC_MODE_TRANSPORT) {
|
||||||
if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
|
if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
|
||||||
IPSEC_ISTAT(sproto, hdrops);
|
IPSEC_ISTAT(sproto, hdrops);
|
||||||
error = EINVAL;
|
error = EINVAL;
|
||||||
@ -721,41 +759,8 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
|
|||||||
#endif /* notyet */
|
#endif /* notyet */
|
||||||
}
|
}
|
||||||
#endif /* INET */
|
#endif /* INET */
|
||||||
/* IPv6-in-IP encapsulation */
|
else {
|
||||||
if (prot == IPPROTO_IPV6) {
|
prot = IPPROTO_IPV6; /* for correct BPF processing */
|
||||||
if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
|
|
||||||
IPSEC_ISTAT(sproto, hdrops);
|
|
||||||
error = EINVAL;
|
|
||||||
goto bad;
|
|
||||||
}
|
|
||||||
/* ip6n will now contain the inner IPv6 header. */
|
|
||||||
m_striphdr(m, 0, skip);
|
|
||||||
skip = 0;
|
|
||||||
#ifdef notyet
|
|
||||||
/*
|
|
||||||
* Check that the inner source address is the same as
|
|
||||||
* the proxy address, if available.
|
|
||||||
*/
|
|
||||||
if ((saidx->proxy.sa.sa_family == AF_INET6 &&
|
|
||||||
!IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) &&
|
|
||||||
!IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src,
|
|
||||||
&saidx->proxy.sin6.sin6_addr)) ||
|
|
||||||
(saidx->proxy.sa.sa_family != AF_INET6 &&
|
|
||||||
saidx->proxy.sa.sa_family != 0)) {
|
|
||||||
|
|
||||||
DPRINTF(("%s: inner source address %s doesn't "
|
|
||||||
"correspond to expected proxy source %s, "
|
|
||||||
"SA %s/%08lx\n", __func__,
|
|
||||||
ip6_sprintf(ip6buf, &ip6n.ip6_src),
|
|
||||||
ipsec_address(&saidx->proxy),
|
|
||||||
ipsec_address(&saidx->dst),
|
|
||||||
(u_long) ntohl(sav->spi)));
|
|
||||||
|
|
||||||
IPSEC_ISTAT(sproto, pdrops);
|
|
||||||
error = EACCES;
|
|
||||||
goto bad;
|
|
||||||
}
|
|
||||||
#endif /* notyet */
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -807,10 +812,6 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
|
|||||||
if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_AFTER)) != 0)
|
if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_AFTER)) != 0)
|
||||||
return (error);
|
return (error);
|
||||||
#endif /* DEV_ENC */
|
#endif /* DEV_ENC */
|
||||||
/* Retrieve new protocol */
|
|
||||||
/* We have stripped the IP6 header from the mbuf, we have to use the backuped proto value instead */
|
|
||||||
nxt8 = prot;
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* See the end of ip6_input for this logic.
|
* See the end of ip6_input for this logic.
|
||||||
* IPPROTO_IPV[46] case will be processed just like other ones
|
* IPPROTO_IPV[46] case will be processed just like other ones
|
||||||
|
Loading…
Reference in New Issue
Block a user