Since all other arguments are optional I don't see why filter is special.
OK?
---
sys/netinet/ip_ipsp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git sys/netinet/ip_ipsp.c sys/netinet/ip_ipsp.c
index edeabc8..184c28f 100644
--- sys/netinet/ip_ipsp.c
+++ sys/netinet/ip_ipsp.c
@@ -370,21 +370,22 @@ ipsp_aux_match(struct tdb *tdb,
if (tdb->tdb_local_cred == NULL ||
!ipsp_ref_match(tdb->tdb_local_cred, plcred))
return 0;
if (prcred != NULL)
if (tdb->tdb_remote_cred == NULL ||
!ipsp_ref_match(tdb->tdb_remote_cred, prcred))
return 0;
/* Check for filter matches. */
- if (tdb->tdb_filter.sen_type) {
+ if (pfilter != NULL && pfiltermask != NULL &&
+ tdb->tdb_filter.sen_type) {
/*
* XXX We should really be doing a subnet-check (see
* whether the TDB-associated filter is a subset
* of the policy's. For now, an exact match will solve
* most problems (all this will do is make every
* policy get its own SAs).
*/
if (memcmp(&tdb->tdb_filter, pfilter,
sizeof(struct sockaddr_encap)) ||
memcmp(&tdb->tdb_filtermask, pfiltermask,
--
2.3.4
