summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorAngelos D. Keromytis <angelos@cvs.openbsd.org>2000-12-14 05:13:11 +0000
committerAngelos D. Keromytis <angelos@cvs.openbsd.org>2000-12-14 05:13:11 +0000
commitb14582e39847ce7604b4312469614ebba9da92a5 (patch)
tree1a34d21fdd16aa82e10604f1821aacce2e5b2ce2 /sys
parentb7a31ab6966630bef85430dd613960c929b7ad2d (diff)
Always look for a suitable TDB if the gateway is left unspecified.
Diffstat (limited to 'sys')
-rw-r--r--sys/netinet/ip_spd.c37
1 files changed, 32 insertions, 5 deletions
diff --git a/sys/netinet/ip_spd.c b/sys/netinet/ip_spd.c
index 760759de059..fcaee8ba651 100644
--- a/sys/netinet/ip_spd.c
+++ b/sys/netinet/ip_spd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_spd.c,v 1.7 2000/11/17 04:16:19 angelos Exp $ */
+/* $OpenBSD: ip_spd.c,v 1.8 2000/12/14 05:13:10 angelos Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
@@ -409,13 +409,40 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction,
}
/*
- * If no SA has been added since the last time we did a lookup,
- * there's no point searching for one.
+ * If no SA has been added since the last time we did a
+ * lookup, there's no point searching for one. However, if the
+ * destination gateway is left unspecified (or is all-1's),
+ * always lookup since this is a generic-match rule
+ * (otherwise, we can have situations where SAs to some
+ * destinations exist but are not used, possibly leading to an
+ * explosion in the number of acquired SAs).
*/
- if (ipo->ipo_last_searched <= ipsec_last_added)
+ if (((ipo->ipo_dst.sa.sa_family == AF_INET) &&
+ (ipo->ipo_dst.sin.sin_addr.s_addr != INADDR_ANY) &&
+ (ipo->ipo_dst.sin.sin_addr.s_addr != INADDR_BROADCAST)) ||
+ ((ipo->ipo_dst.sa.sa_family == AF_INET6) &&
+ !IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_dst.sin6.sin6_addr) &&
+ bcmp(&ipo->ipo_dst.sin6.sin6_addr, &in6mask128,
+ sizeof(in6mask128))))
{
- ipo->ipo_last_searched = time.tv_sec; /* "touch" the entry */
+ if (ipo->ipo_last_searched <= ipsec_last_added)
+ {
+ ipo->ipo_last_searched = time.tv_sec; /* "touch" the entry */
+ /* Find an appropriate SA from among the existing SAs */
+ ipo->ipo_tdb = gettdbbyaddr(&sdst, ipo->ipo_sproto, m, af);
+ if (ipo->ipo_tdb)
+ {
+ TAILQ_INSERT_TAIL(&ipo->ipo_tdb->tdb_policy_head, ipo,
+ ipo_tdb_next);
+ *error = 0;
+ ipo->ipo_last_searched = 0;
+ return ipo->ipo_tdb;
+ }
+ }
+ }
+ else
+ {
/* Find an appropriate SA from among the existing SAs */
ipo->ipo_tdb = gettdbbyaddr(&sdst, ipo->ipo_sproto, m, af);
if (ipo->ipo_tdb)