diff options
| author |   dlg <dlg@openbsd.org> | 2009-02-24 21:47:28 +0000 |
|---|---|---|
| committer | dlg <dlg@openbsd.org> | 2009-02-24 21:47:28 +0000 |
| commit | 91b4ab7eb51943d15fd5b8d202b8007dcde712c8 (patch) | |
| tree | 87f8c1c0470a635dde63476d27e49181287ddc46 | |
| parent | fix tilde expansion (eg. ~/Mail); ok gilles@ (diff) | |
| download | wireguard-openbsd-91b4ab7eb51943d15fd5b8d202b8007dcde712c8.tar.xz wireguard-openbsd-91b4ab7eb51943d15fd5b8d202b8007dcde712c8.zip | |
restore the parsing of incoming tdb update messages. this was disabled
while i was replacing the guts of pfsync, but i forgot to put it back
again. this will make ipsec gateway failover work again.
tested by sthen@ and david@
ok deraadt@
| -rw-r--r-- | sys/net/if_pfsync.c | 49 |
1 files changed, 46 insertions, 3 deletions
diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c index b77f74d096f..41cc6de8723 100644 --- a/sys/net/if_pfsync.c +++ b/sys/net/if_pfsync.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pfsync.c,v 1.110 2009/02/24 05:39:19 dlg Exp $ */ +/* $OpenBSD: if_pfsync.c,v 1.111 2009/02/24 21:47:28 dlg Exp $ */ /* * Copyright (c) 2002 Michael Shalayeff @@ -1248,7 +1248,7 @@ pfsync_in_tdb(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count) { int len = count * sizeof(struct pfsync_tdb); -#if 0 && defined(IPSEC) +#if defined(IPSEC) struct pfsync_tdb *tp; struct mbuf *mp; int offp; @@ -1264,13 +1264,56 @@ pfsync_in_tdb(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count) s = splsoftnet(); for (i = 0; i < count; i++) - pfsync_update_net_tdb(&tp[i]); /* XXX */ + pfsync_update_net_tdb(&tp[i]); splx(s); #endif return (len); } +#if defined(IPSEC) +/* Update an in-kernel tdb. Silently fail if no tdb is found. */ +void +pfsync_update_net_tdb(struct pfsync_tdb *pt) +{ + struct tdb *tdb; + int s; + + /* check for invalid values */ + if (ntohl(pt->spi) <= SPI_RESERVED_MAX || + (pt->dst.sa.sa_family != AF_INET && + pt->dst.sa.sa_family != AF_INET6)) + goto bad; + + s = spltdb(); + tdb = gettdb(pt->spi, &pt->dst, pt->sproto); + if (tdb) { + pt->rpl = ntohl(pt->rpl); + pt->cur_bytes = betoh64(pt->cur_bytes); + + /* Neither replay nor byte counter should ever decrease. */ + if (pt->rpl < tdb->tdb_rpl || + pt->cur_bytes < tdb->tdb_cur_bytes) { + splx(s); + goto bad; + } + + tdb->tdb_rpl = pt->rpl; + tdb->tdb_cur_bytes = pt->cur_bytes; + } + splx(s); + return; + + bad: + if (pf_status.debug >= PF_DEBUG_MISC) + printf("pfsync_insert: PFSYNC_ACT_TDB_UPD: " + "invalid value\n"); + pfsyncstats.pfsyncs_badstate++; + return; +} +#endif + + int pfsync_in_eof(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count) { |