On Wed, Sep 30, 2009 at 05:34:49AM -0700, Erik Nordmark wrote: <SNIP!>
> I went and looked at onnv-gate and there is no such thing in the receive > side for global policy for a clear-text packet. > > If a clear-text packet comes into ip_input it calls > if (ip_iptun_input(NULL, mp, ipha, ill, ire, ipst)) > i.e., no M_CTL. > > Then the packet is passed to iptun_input that looks at IPsec policy iff > there is an M_CTL. > > Thus a cleartext tunneled packet plus just a global IPsec policy doesn't > result in a policy check for iptun in Nevada. > > TCP and UDP input does check for a global policy (in ip_tcp_input and > ip_udp_input). > > Is the above a bug in Nevada? It seems to be. I'll confirm this later in the morning. BTW, ipsec_tun_inbound() is supposed to be called regardless of whether or not there's an M_CTL present or not. It contains checking for global policy too if an ipsec_tun_pol_t isn't hanging off the iptun_t. > In any case, IP datapath refactoring behaves the same as Nevada in this > case. I need to confirm the breakage. Also, I don't recall the "ipsec" variable in iptun_input() being in earlier revs of in-development clearview-iptun. Actually, it may have been a cleanup attempt that didn't account for something. Regardless, it does look like a bug (possibly a serious security hole, actually). Dan _______________________________________________ networking-discuss mailing list [email protected]
