diff options
| author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2011-07-06 22:03:01 +0000 |
|---|---|---|
| committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2011-07-06 22:03:01 +0000 |
| commit | ccf879dbe85ed862e28ee9dd44f55427a75e865e (patch) | |
| tree | 12de4fed7c71c4440e3d035463334008b3883e3d | |
| parent | 0fff57c132ca19ed2488127b8712742b91f39d18 (diff) | |
For non-crypted flows (such as ipcomp and ipip), default their
type (if not specified) to "use" instead of "require".
(since they will not get a key...)
ok mikeb claudio
| -rw-r--r-- | sbin/ipsecctl/parse.y | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index d978faa9606..1e8d432a71b 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.150 2010/10/06 22:19:20 mikeb Exp $ */ +/* $OpenBSD: parse.y,v 1.151 2011/07/06 22:03:00 deraadt Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -578,7 +578,7 @@ ids : /* empty */ { ; type : /* empty */ { - $$ = TYPE_REQUIRE; + $$ = TYPE_UNKNOWN; } | TYPE USE { $$ = TYPE_USE; @@ -2425,6 +2425,18 @@ create_flow(u_int8_t dir, u_int8_t proto, struct ipsec_hosts *hosts, goto errout; } + switch (satype) { + case IPSEC_IPCOMP: + case IPSEC_IPIP: + if (type == TYPE_UNKNOWN) + type = TYPE_USE; + break; + default: + if (type == TYPE_UNKNOWN) + type = TYPE_REQUIRE; + break; + } + r->flowtype = type; if (type == TYPE_DENY || type == TYPE_BYPASS) return (r); |