On Fri, May 12, 2017 at 05:05:58PM -0600, Alexander Bluhm wrote: > CVSROOT: /cvs > Module name: src > Changes by: [email protected] 2017/05/12 17:05:58 > > Modified files: > sys/netinet : ip_input.c ip_var.h ipsec_input.c > > Log message: > IPsec packets were passed through ip_input() a second time after > they have been decrypted. That means that all the IP header fields > were checked twice. Also fragment reassembly was tried twice. > At pf incoming packets in tunnel mode appeared twice on the enc0 > interface, once as IP-in-IP and once as the inner packet. In the > outgoing path pf only sees the inner packet. Asymmetry is bad for > stateful filtering. > IPv6 shows that IPsec works without that. After decrypting immediately > continue with local delivery. In tunnel mode the IP-in-IP protocol > functions pass the inner header to ip6_input(). In transport mode > only pf_test() has to be called for the enc0 device. > Introduce ip_local() to avoid needless processing and cleaner pf > behavior in IPv4 IPsec. > OK mikeb@
and OK markus@
