CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	ae <ae@FreeBSD.org>
	Mon, 28 Aug 2017 10:02:47 +0000 (10:02 +0000)
committer	ae <ae@FreeBSD.org>
	Mon, 28 Aug 2017 10:02:47 +0000 (10:02 +0000)
commit	4e0ff7d0a944d10581e904bc3057524ce7071e30
tree	120d613f991ea694c0f785dd27a730c456b4b26a	tree \| snapshot
parent	4b62db3cb398d08c8a25e95e5d3a83bbb3d55e1b	commit \| diff

MFC r322750:
  Fix the regression introduced in r275710.

  When a security policy should match TCP connection with specific ports,
  the SYN+ACK segment send by syncache_respond() is considered as forwarded
  packet, because at this moment TCP connection does not have PCB structure,
  and ip_output() is called without inpcb pointer. In this case SPIDX filled
  for SP lookup will not contain TCP ports and security policy will not
  be found. This can lead to unencrypted SYN+ACK on the wire.

  This patch restores the old behavior, when ports will not be filled only
  for forwarded packets.

  Reported by: Dewayne Geraghty <dewayne.geraghty at heuristicsystems.com.au>

MFC r322751:
  Remove stale comments.

sys/netipsec/ipsec.c		diff \| blob \| history
sys/netipsec/ipsec.h		diff \| blob \| history
sys/netipsec/ipsec6.h		diff \| blob \| history
sys/netipsec/ipsec_output.c		diff \| blob \| history