Herbert Xu wrote:
What I meant to say is all packets with tunnel mode SAs should be
rejected since we don't allow optional tunnel transforms for security
reasons.
This patch fixes it.
Looks good. So you agree we should also apply my patch to
xfrm_policy_lookup (attached again with less confusing subject) ? It makes
packets with a secpath fall through to __xfrm_policy_check when the policy
list is empty, so the default policy is always the same. This will break
setups with keying daemons that don't add forward policies for tunnel mode
SAs.
Regards
Patrick
# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
# 2004/10/19 16:04:44+02:00 kaber@xxxxxxxxxxxx
# [XFRM]: Apply policy checks to packets with a secpath when the policy list
is empty
#
# Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
#
# include/net/xfrm.h
# 2004/10/19 16:04:18+02:00 kaber@xxxxxxxxxxxx +1 -1
# [XFRM]: Apply policy checks to packets with a secpath when the policy list
is empty
#
# Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
#
diff -Nru a/include/net/xfrm.h b/include/net/xfrm.h
--- a/include/net/xfrm.h 2004-10-19 16:05:39 +02:00
+++ b/include/net/xfrm.h 2004-10-19 16:05:39 +02:00
@@ -601,7 +601,7 @@
if (sk && sk->sk_policy[XFRM_POLICY_IN])
return __xfrm_policy_check(sk, dir, skb, family);
- return !xfrm_policy_list[dir] ||
+ return (!xfrm_policy_list[dir] && !skb->sp) ||
(skb->dst->flags & DST_NOPOLICY) ||
__xfrm_policy_check(sk, dir, skb, family);
}
|