d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
b05765d75f
freebsd-dev/sys/netipsec
History
Andrey V. Elsukov b05765d75f Do not use xform_ipip as decapsulation fallback. 
xform_ipip was used as fallback with low priority for IPIP
encapsulated packets that were decrypted. In some cases
it can decapsulate packets, that it shouldn't. This leads to situations,
when wrong configurations are magically working. Also it can propagate
wrong ingress interface and this can break security.

Now we redesigned the IPSEC code and IPIP encapsulation is called directly
from ipsec_output, and decapsulation is done in the ipsec_input with m_striphdr.

Differential Revision:	https://reviews.freebsd.org/D1220
MFC after:	1 month
Sponsored by:	Yandex LLC
2014-11-26 17:44:49 +00:00
..
ah_var.h Migrate structs ahstat, espstat, ipcompstat, ipipstat, pfkeystat, 2013-07-09 10:08:13 +00:00
ah.h
esp_var.h Migrate structs ahstat, espstat, ipcompstat, ipipstat, pfkeystat, 2013-07-09 10:08:13 +00:00
esp.h
ipcomp_var.h Migrate structs ahstat, espstat, ipcompstat, ipipstat, pfkeystat, 2013-07-09 10:08:13 +00:00
ipcomp.h
ipsec6.h Fixed IPv4-in-IPv6 and IPv6-in-IPv4 IPsec tunnels. 2014-05-28 12:45:27 +00:00
ipsec_input.c Strip IP header only when we act in tunnel mode. 2014-11-13 10:48:59 +00:00
ipsec_mbuf.c Use IPSECSTAT_INC() and IPSEC6STAT_INC() macros for ipsec statistics 2013-06-20 09:55:53 +00:00
ipsec_output.c Count statistics for the specific address family. 2014-11-13 12:58:33 +00:00
ipsec.c Remove SYSCTL_VNET_* macros, and simply put CTLFLAG_VNET where needed. 2014-11-07 09:39:05 +00:00
ipsec.h Fix multiple incorrect SYSCTL arguments in the kernel: 2014-10-21 07:31:21 +00:00
key_debug.c Fix style bug: rename the refcount field of m_ext to ext_cnt, to match 2014-07-11 14:34:29 +00:00
key_debug.h
key_var.h Remove more constants related to static sysctl nodes. The MAXID constants 2014-02-25 18:44:33 +00:00
key.c Remove SYSCTL_VNET_* macros, and simply put CTLFLAG_VNET where needed. 2014-11-07 09:39:05 +00:00
key.h Use a static callout to drive key_timehandler() instead of timeout(). 2014-10-23 20:43:16 +00:00
keydb.h
keysock.c Change pr_output's prototype to avoid the need for explicit casts. 2014-08-15 02:43:02 +00:00
keysock.h Change pr_output's prototype to avoid the need for explicit casts. 2014-08-15 02:43:02 +00:00
xform_ah.c Remove SYSCTL_VNET_* macros, and simply put CTLFLAG_VNET where needed. 2014-11-07 09:39:05 +00:00
xform_esp.c Remove SYSCTL_VNET_* macros, and simply put CTLFLAG_VNET where needed. 2014-11-07 09:39:05 +00:00
xform_ipcomp.c Remove SYSCTL_VNET_* macros, and simply put CTLFLAG_VNET where needed. 2014-11-07 09:39:05 +00:00
xform_ipip.c Do not use xform_ipip as decapsulation fallback. 2014-11-26 17:44:49 +00:00
xform_tcp.c
xform.h Do not use xform_ipip as decapsulation fallback. 2014-11-26 17:44:49 +00:00