diff options
| author | Markus Friedl <markus@cvs.openbsd.org> | 2008-10-22 14:36:09 +0000 |
|---|---|---|
| committer | Markus Friedl <markus@cvs.openbsd.org> | 2008-10-22 14:36:09 +0000 |
| commit | 9e247d022c84cdda4546dcd44dc2cdb61c3d136f (patch) | |
| tree | d26616199ed614d6a46b41d5789f936885da1f9b | |
| parent | 785de0575d013e89400a9eccbe319eed8f37ccd5 (diff) | |
filter ipv6 ipsec packets on enc0 (in and out), similar to ipv4;
ok bluhm, fries, mpf; fixes pr 4188
| -rw-r--r-- | sys/netinet/ipsec_input.c | 10 | ||||
| -rw-r--r-- | sys/netinet6/ip6_forward.c | 16 | ||||
| -rw-r--r-- | sys/netinet6/ip6_output.c | 16 |
3 files changed, 33 insertions, 9 deletions
diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c index d91d5e99ac5..1e68064402c 100644 --- a/sys/netinet/ipsec_input.c +++ b/sys/netinet/ipsec_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_input.c,v 1.89 2008/08/26 12:18:01 henning Exp $ */ +/* $OpenBSD: ipsec_input.c,v 1.90 2008/10/22 14:36:08 markus Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -237,12 +237,8 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, return ENXIO; } - if (tdbp->tdb_dst.sa.sa_family == AF_INET && - sproto != IPPROTO_IPCOMP) { - /* - * XXX The fragment conflicts with scoped nature of - * IPv6, so do it for only for IPv4 for now. - */ + if (sproto != IPPROTO_IPCOMP) { + /* XXX This conflicts with the scoped nature of IPv6 */ m->m_pkthdr.rcvif = &encif[0].sc_if; } diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index 60942fd9e5f..ac9bf41f448 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_forward.c,v 1.40 2008/06/11 19:00:50 mcbride Exp $ */ +/* $OpenBSD: ip6_forward.c,v 1.41 2008/10/22 14:36:08 markus Exp $ */ /* $KAME: ip6_forward.c,v 1.75 2001/06/29 12:42:13 jinmei Exp $ */ /* @@ -45,6 +45,7 @@ #include <sys/syslog.h> #include <net/if.h> +#include <net/if_enc.h> #include <net/route.h> #include <netinet/in.h> @@ -327,6 +328,19 @@ ip6_forward(struct mbuf *m, int srcrt) if (sproto != 0) { s = splnet(); +#if NPF > 0 + if (pf_test6(PF_OUT, &encif[0].sc_if, &m, NULL) != PF_PASS) { + splx(s); + error = EHOSTUNREACH; + m_freem(m); + goto senderr; + } + if (m == NULL) { + splx(s); + goto senderr; + } + ip6 = mtod(m, struct ip6_hdr *); +#endif tdb = gettdb(sspi, &sdst, sproto); if (tdb == NULL) { splx(s); diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index 2f18499bb64..c6f61f32fb7 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_output.c,v 1.105 2008/09/03 08:41:57 mpf Exp $ */ +/* $OpenBSD: ip6_output.c,v 1.106 2008/10/22 14:36:08 markus Exp $ */ /* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */ /* @@ -74,6 +74,7 @@ #include <sys/proc.h> #include <net/if.h> +#include <net/if_enc.h> #include <net/route.h> #include <netinet/in.h> @@ -496,6 +497,19 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt, struct route_in6 *ro, if (sproto != 0) { s = splnet(); +#if NPF > 0 + if (pf_test6(PF_OUT, &encif[0].sc_if, &m, NULL) != PF_PASS) { + splx(s); + error = EHOSTUNREACH; + m_freem(m); + goto done; + } + if (m == NULL) { + splx(s); + goto done; + } + ip6 = mtod(m, struct ip6_hdr *); +#endif /* * XXX what should we do if ip6_hlim == 0 and the * packet gets tunneled? |