diff options
| author |   markus <markus@openbsd.org> | 2003-07-28 10:10:16 +0000 |
|---|---|---|
| committer | markus <markus@openbsd.org> | 2003-07-28 10:10:16 +0000 |
| commit | 8260a36bac424ef5292da7f7df9edddf5390c4ce (patch) | |
| tree | 666b4202558e313105d4f51800598175aa4cfcfd /sys | |
| parent | Support for generating Diffie-Hellman groups (/etc/moduli) from ssh-keygen. (diff) | |
| download | wireguard-openbsd-8260a36bac424ef5292da7f7df9edddf5390c4ce.tar.xz wireguard-openbsd-8260a36bac424ef5292da7f7df9edddf5390c4ce.zip | |
allow gif(4) over ipsec: mark mbuf for transport mode SA,
so in_gif_input can detect whether a proto 4 header is due
to ipsec tunnel mode or gif(4) encapsulation; fixes pr 3023
ok itojun@. provos@ and angelos@ agree; tested by sturm@
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet/in_gif.c | 8 | ||||
| -rw-r--r-- | sys/netinet/ipsec_input.c | 5 | ||||
| -rw-r--r-- | sys/sys/mbuf.h | 6 |
3 files changed, 13 insertions, 6 deletions
diff --git a/sys/netinet/in_gif.c b/sys/netinet/in_gif.c index 8664f2adc31..ea4e24de774 100644 --- a/sys/netinet/in_gif.c +++ b/sys/netinet/in_gif.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in_gif.c,v 1.27 2003/07/09 22:03:16 itojun Exp $ */ +/* $OpenBSD: in_gif.c,v 1.28 2003/07/28 10:10:16 markus Exp $ */ /* $KAME: in_gif.c,v 1.50 2001/01/22 07:27:16 itojun Exp $ */ /* @@ -166,9 +166,11 @@ in_gif_input(struct mbuf *m, ...) off = va_arg(ap, int); va_end(ap); - /* XXX what if we run transport-mode IPsec to protect gif tunnel ? */ - if (m->m_flags & (M_AUTH | M_CONF)) + /* IP-in-IP header is caused by tunnel mode, so skip gif lookup */ + if (m->m_flags & M_TUNNEL) { + m->m_flags &= ~M_TUNNEL; goto inject; + } ip = mtod(m, struct ip *); diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c index 9a8545fd98a..d4282c826ab 100644 --- a/sys/netinet/ipsec_input.c +++ b/sys/netinet/ipsec_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_input.c,v 1.68 2003/07/24 11:13:47 markus Exp $ */ +/* $OpenBSD: ipsec_input.c,v 1.69 2003/07/28 10:10:16 markus Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -548,6 +548,9 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff, else m->m_flags |= M_AUTH | M_AUTH_AH; + if (tdbp->tdb_flags & TDBF_TUNNELING) + m->m_flags |= M_TUNNEL; + #if NBPFILTER > 0 bpfif = &encif[0].sc_if; if (bpfif->if_bpf) { diff --git a/sys/sys/mbuf.h b/sys/sys/mbuf.h index 357d1d3a102..b50e061279d 100644 --- a/sys/sys/mbuf.h +++ b/sys/sys/mbuf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: mbuf.h,v 1.70 2003/06/02 23:28:21 millert Exp $ */ +/* $OpenBSD: mbuf.h,v 1.71 2003/07/28 10:10:16 markus Exp $ */ /* $NetBSD: mbuf.h,v 1.19 1996/02/09 18:25:14 christos Exp $ */ /* @@ -140,6 +140,7 @@ struct mbuf { #define M_AUTH 0x0800 /* payload was authenticated (AH or ESP auth) */ #define M_COMP 0x1000 /* payload was compressed (IPCOMP) */ #define M_AUTH_AH 0x2000 /* header was authenticated (AH) */ +#define M_TUNNEL 0x4000 /* IP-in-IP added by tunnel mode IPsec */ /* Checksumming flags */ #define M_IPV4_CSUM_OUT 0x0001 /* IPv4 checksum needed */ @@ -158,7 +159,8 @@ struct mbuf { #define M_LOOP 0x0040 /* for Mbuf statistics */ /* flags copied when copying m_pkthdr */ -#define M_COPYFLAGS (M_PKTHDR|M_EOR|M_PROTO1|M_BCAST|M_MCAST|M_CONF|M_AUTH|M_COMP|M_ANYCAST6|M_LOOP) +#define M_COPYFLAGS (M_PKTHDR|M_EOR|M_PROTO1|M_BCAST|M_MCAST|M_CONF|\ + M_AUTH|M_COMP|M_ANYCAST6|M_LOOP|M_TUNNEL) /* mbuf types */ #define MT_FREE 0 /* should be on free list */ |