freebsd-nq/sys
Andrey V. Elsukov e58320f127 Remove PACKET_TAG_IPSEC_IN_DONE mbuf tag lookup and usage of its
security policy. The changed block of code in ip*_ipsec_input() is
called when packet has ESP/AH header. Presence of
PACKET_TAG_IPSEC_IN_DONE mbuf tag in the same time means that
packet was already handled by IPSEC and reinjected in the netisr,
and it has another ESP/AH headers (encrypted twice?).
Since it was already processed by IPSEC code, the AH/ESP headers
was already stripped (and probably outer IP header was stripped too)
and security policy from the tdb_ident was applied to those headers.
It is incorrect to apply this security policy to current headers.

Also make ip_ipsec_input() prototype similar to ip6_ipsec_input().

Obtained from:	Yandex LLC
Sponsored by:	Yandex LLC
2014-12-11 14:58:55 +00:00
..
amd64 This configuration file removes several debugging options, including 2014-12-02 19:55:43 +00:00
arm Fix the watchdog timeout calculation to prevent wrap. The RPi hardware 2014-12-10 04:54:43 +00:00
boot o Add BERI Virtio Networking Frontend (if_vtbe) 2014-12-09 16:39:21 +00:00
bsm
cam Count consecutive read requests as blocking in CTL for files and ZVOLs. 2014-12-06 20:39:25 +00:00
cddl MFV r275540: 2014-12-08 06:04:42 +00:00
compat The process spin lock currently has the following distinct uses: 2014-11-26 14:10:00 +00:00
conf xen: move grant table code 2014-12-10 11:21:52 +00:00
contrib Correctly define constants. 2014-11-28 04:07:06 +00:00
crypto Fix gcc build: preserve const qualifier when casting input values. 2014-11-11 13:37:28 +00:00
ddb ddb: ANSI-fy function declarations. 2014-10-12 18:01:52 +00:00
dev xen: convert the Grant-table code to a NewBus device 2014-12-10 11:35:41 +00:00
fs ext2fs: Fix old out-of-bounds access. 2014-12-09 14:56:00 +00:00
gdb Add support for gdb's memory searching capabilities to our in-kernel gdb 2014-09-05 16:40:47 +00:00
geom Avoid unneeded malloc/memcpy/free if there is no metadata on disk. 2014-12-05 10:23:18 +00:00
gnu reiserfs: Use signed i_nlink 2014-09-25 19:10:32 +00:00
i386 This configuration file removes several debugging options, including 2014-12-02 19:55:43 +00:00
isa
kern Do not call VFS_SYNC() before VFS_UNMOUNT() for forced unmount. 2014-12-09 10:00:47 +00:00
kgssapi Avoid dynamic syscall overhead for statically compiled modules. 2014-10-26 19:42:44 +00:00
libkern Use the unified syntax in a few more assembly files 2014-12-05 19:08:36 +00:00
mips Switch is an 8316, so make the comments say that. 2014-12-03 23:37:23 +00:00
modules remove opensolaris cyclic code, replace with high-precision callouts 2014-12-07 11:21:41 +00:00
net Remove unneded check. No need to do m_pullup to the size that we prepended. 2014-12-02 05:41:03 +00:00
net80211 Fix multiple incorrect SYSCTL arguments in the kernel: 2014-10-21 07:31:21 +00:00
netgraph In preparation of merging projects/sendfile, transform bare access to 2014-11-12 09:57:15 +00:00
netinet Remove PACKET_TAG_IPSEC_IN_DONE mbuf tag lookup and usage of its 2014-12-11 14:58:55 +00:00
netinet6 Remove PACKET_TAG_IPSEC_IN_DONE mbuf tag lookup and usage of its 2014-12-11 14:58:55 +00:00
netipsec key_getspacq() returns holding the spacq_lock. Unlock it in all cases. 2014-12-07 06:47:00 +00:00
netnatm
netpfil pf(4) needs to have a correct checksum during its processing. 2014-11-19 13:31:08 +00:00
netsmb
nfs Avoid dynamic syscall overhead for statically compiled modules. 2014-10-26 19:42:44 +00:00
nfsclient Follow up to r225617. In order to maximize the re-usability of kernel code 2014-10-16 18:04:43 +00:00
nfsserver
nlm Avoid dynamic syscall overhead for statically compiled modules. 2014-10-26 19:42:44 +00:00
ofed Make sure callbacks being freed are not pending when the 2014-12-11 10:47:50 +00:00
opencrypto Fix build for kernels without COMPAT_FREEBSD32. 2014-09-22 17:32:27 +00:00
pc98 This configuration file removes several debugging options, including 2014-12-02 19:55:43 +00:00
powerpc Fix kernel build for booke. 2014-12-10 20:23:19 +00:00
rpc Current reaction of the nfsd worker threads to any signal is exit. 2014-12-08 16:33:18 +00:00
security Replace dev_clone with cdevpriv(9) KPI in audit_pipe code. 2014-08-20 16:04:30 +00:00
sparc64 This configuration file removes several debugging options, including 2014-12-02 19:55:43 +00:00
sys Pull in r223171 from upstream llvm trunk (by Michael Zolotukhin): 2014-12-09 07:34:28 +00:00
teken
tools Allow the make_dtb script to work outside of a "make buildkernel" context 2014-08-30 22:39:15 +00:00
ufs Merge from projects/sendfile: 2014-11-23 12:01:52 +00:00
vm Always ignore the deprecated MAP_RENAME and MAP_NORESERVE flags to mmap(). 2014-12-05 15:24:42 +00:00
x86 xen/intr: balance dynamic interrupts across available vCPUs 2014-12-10 13:25:21 +00:00
xdr
xen xen: convert the Grant-table code to a NewBus device 2014-12-10 11:35:41 +00:00
Makefile Remove "pci" from CSCOPEDIRS. 2014-09-23 06:32:19 +00:00