On Fri, May 12, 2017 at 01:53:12PM +0200, Alexander Bluhm wrote: > In bridge_ipsec() tdb comes from > gettdb() called with proto. There we goto skiplookup if proto != > IPPROTO_ESP && proto != IPPROTO_AH && proto != IPPROTO_IPCOMP.
While looking at this, I saw the same code in the IPv4 and IPv6 case. And we could put the panic there, too. ok? bluhm Index: net/if_bridge.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/net/if_bridge.c,v retrieving revision 1.294 diff -u -p -r1.294 if_bridge.c --- net/if_bridge.c 5 Feb 2017 16:04:14 -0000 1.294 +++ net/if_bridge.c 12 May 2017 14:51:35 -0000 @@ -1425,17 +1425,6 @@ bridge_ipsec(struct bridge_softc *sc, st sizeof(struct in_addr), (caddr_t)&dst.sin.sin_addr); - if (ip->ip_p == IPPROTO_ESP) - m_copydata(m, hlen, sizeof(u_int32_t), - (caddr_t)&spi); - else if (ip->ip_p == IPPROTO_AH) - m_copydata(m, hlen + sizeof(u_int32_t), - sizeof(u_int32_t), (caddr_t)&spi); - else if (ip->ip_p == IPPROTO_IPCOMP) { - m_copydata(m, hlen + sizeof(u_int16_t), - sizeof(u_int16_t), (caddr_t)&cpi); - spi = ntohl(htons(cpi)); - } break; #ifdef INET6 case AF_INET6: @@ -1459,25 +1448,29 @@ bridge_ipsec(struct bridge_softc *sc, st sizeof(struct in6_addr), (caddr_t)&dst.sin6.sin6_addr); - if (proto == IPPROTO_ESP) - m_copydata(m, hlen, sizeof(u_int32_t), - (caddr_t)&spi); - else if (proto == IPPROTO_AH) - m_copydata(m, hlen + sizeof(u_int32_t), - sizeof(u_int32_t), (caddr_t)&spi); - else if (proto == IPPROTO_IPCOMP) { - m_copydata(m, hlen + sizeof(u_int16_t), - sizeof(u_int16_t), (caddr_t)&cpi); - spi = ntohl(htons(cpi)); - } break; #endif /* INET6 */ default: return (0); } - if (proto == 0) - goto skiplookup; + switch (proto) { + case IPPROTO_ESP: + m_copydata(m, hlen, sizeof(u_int32_t), (caddr_t)&spi); + break; + case IPPROTO_AH: + m_copydata(m, hlen + sizeof(u_int32_t), + sizeof(u_int32_t), (caddr_t)&spi); + break; + case IPPROTO_IPCOMP: + m_copydata(m, hlen + sizeof(u_int16_t), + sizeof(u_int16_t), (caddr_t)&cpi); + spi = ntohl(htons(cpi)); + break; + default: + panic("%s: unknown/unsupported security protocol %d", + __func__, proto); + } splsoftassert(IPL_SOFTNET);