Hi Dave:
In a previous, I moved the encap_type checks in esp4.c from the packet
processing path to xfrm_user/af_key. This isn't ideal since those encap
types only make sense for esp4.
The following patch moves it back into esp4.c. The difference is
that it's now done in init_state so that it's only done once rather
than per-packet.
I've also added encap_type checks for every transform. This means
that people attaching encap objects to AH/IPCOMP/IPIP will now get
errors. That should be fine as no major KM does this.
Please note that the error returned is now EINVAL instead of
ENOPROTOOPT. This shouldn't break anything since KMs only test
the errno from setsockopt() for NAT-T support rather than add_sa
where it would be too late anyway.
Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
encap-check
Description: Text document
|