diff options
| author |   bluhm <bluhm@openbsd.org> | 2017-05-12 23:05:58 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2017-05-12 23:05:58 +0000 |
| commit | 6089190c750b79ca63a8a74ef4abfe896ebb4c8d (patch) | |
| tree | 40feb9524567b7e829154587a855ba2a5464dfcd /lib/libc | |
| parent | Unify duplicate code from address family switch in bridge_ipsec(). (diff) | |
| download | wireguard-openbsd-6089190c750b79ca63a8a74ef4abfe896ebb4c8d.tar.xz wireguard-openbsd-6089190c750b79ca63a8a74ef4abfe896ebb4c8d.zip | |
IPsec packets were passed through ip_input() a second time after
they have been decrypted. That means that all the IP header fields
were checked twice. Also fragment reassembly was tried twice.
At pf incoming packets in tunnel mode appeared twice on the enc0
interface, once as IP-in-IP and once as the inner packet. In the
outgoing path pf only sees the inner packet. Asymmetry is bad for
stateful filtering.
IPv6 shows that IPsec works without that. After decrypting immediately
continue with local delivery. In tunnel mode the IP-in-IP protocol
functions pass the inner header to ip6_input(). In transport mode
only pf_test() has to be called for the enc0 device.
Introduce ip_local() to avoid needless processing and cleaner pf
behavior in IPv4 IPsec.
OK mikeb@
Diffstat (limited to 'lib/libc')
0 files changed, 0 insertions, 0 deletions