summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorAngelos D. Keromytis <angelos@cvs.openbsd.org>2002-04-24 01:05:13 +0000
committerAngelos D. Keromytis <angelos@cvs.openbsd.org>2002-04-24 01:05:13 +0000
commit0df7142d581d644ed97e66b376104baf08bbfd1c (patch)
treeee346754ec63b8c29d5f5022b3a7f755a68618cd /sys
parent2dca48c83ca233201097fc4e9a39ecff56cf7527 (diff)
Update IPsec-related comments.
Diffstat (limited to 'sys')
-rw-r--r--sys/netinet/ip_input.c29
1 files changed, 23 insertions, 6 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 174b3974713..dc1f610a32b 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_input.c,v 1.100 2002/03/14 01:27:11 millert Exp $ */
+/* $OpenBSD: ip_input.c,v 1.101 2002/04/24 01:05:12 angelos Exp $ */
/* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */
/*
@@ -489,7 +489,10 @@ ipv4_input(m)
m_freem(m);
} else {
#ifdef IPSEC
- /* IPsec policy check for forwarded packets */
+ /*
+ * IPsec policy check for forwarded packets. Look at
+ * inner-most IPsec SA used.
+ */
mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
s = splnet();
if (mtag != NULL) {
@@ -508,7 +511,10 @@ ipv4_input(m)
return;
}
- /* Fall through, forward packet */
+ /*
+ * Fall through, forward packet. Outbound IPsec policy
+ * checking will occur in ip_output().
+ */
#endif /* IPSEC */
ip_forward(m, 0);
@@ -611,7 +617,8 @@ found:
* That's because we really only care about the properties of
* the protected packet, and not the intermediate versions.
* While this is not the most paranoid setting, it allows
- * some flexibility in handling of nested tunnels etc.
+ * some flexibility in handling nested tunnels (in setting up
+ * the policies).
*/
if ((ip->ip_p == IPPROTO_ESP) || (ip->ip_p == IPPROTO_AH) ||
(ip->ip_p == IPPROTO_IPCOMP))
@@ -636,7 +643,17 @@ found:
if ((ip->ip_p == IPPROTO_TCP) || (ip->ip_p == IPPROTO_UDP))
goto skipipsec;
- /* IPsec policy check for local-delivery packets */
+ /*
+ * IPsec policy check for local-delivery packets. Look at the
+ * inner-most SA that protected the packet. This is in fact
+ * a bit too restrictive (it could end up causing packets to
+ * be dropped that semantically follow the policy, e.g., in
+ * certain SA-bundle configurations); but the alternative is
+ * very complicated (and requires keeping track of what
+ * kinds of tunneling headers have been seen in-between the
+ * IPsec headers), and I don't think we lose much functionality
+ * that's needed in the real world (who uses bundles anyway ?).
+ */
mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
s = splnet();
if (mtag) {
@@ -648,7 +665,7 @@ found:
tdb, NULL);
splx(s);
- /* Error or otherwise drop-packet indication */
+ /* Error or otherwise drop-packet indication. */
if (error) {
ipstat.ips_cantforward++;
m_freem(m);