From owner-svn-src-stable@freebsd.org  Sun Jan 15 15:43:20 2017
Return-Path: <owner-svn-src-stable@freebsd.org>
Delivered-To: svn-src-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C1ABFCB145E;
 Sun, 15 Jan 2017 15:43:20 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 8258E1E30;
 Sun, 15 Jan 2017 15:43:20 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v0FFhJnf029548;
 Sun, 15 Jan 2017 15:43:19 GMT (envelope-from ae@FreeBSD.org)
Received: (from ae@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id v0FFhJh5029547;
 Sun, 15 Jan 2017 15:43:19 GMT (envelope-from ae@FreeBSD.org)
Message-Id: <201701151543.v0FFhJh5029547@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org
 using -f
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Date: Sun, 15 Jan 2017 15:43:19 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r312233 - stable/11/sys/netipsec
X-SVN-Group: stable-11
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
 <svn-src-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable>, 
 <mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable/>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jan 2017 15:43:20 -0000

Author: ae
Date: Sun Jan 15 15:43:19 2017
New Revision: 312233
URL: https://svnweb.freebsd.org/changeset/base/312233

Log:
  MFC r311679:
    Add direction argument to ipsec_setspidx_inpcb() function.
  
    This function is used only by ipsec_getpolicybysock() to fill security
    policy index selector for locally generated packets (that have INPCB).
    The function incorrectly assumes that spidx is the same for both directions.
    Fix this by using new direction argument to specify correct INPCB security
    policy - sp_in or sp_out. There is no need to fill both policy indeces,
    because they are overwritten for each packet.
    This fixes security policy matching for outbound packets when user has
    specified TCP/UDP ports in the security policy upperspec.
  
    PR:		213869

Modified:
  stable/11/sys/netipsec/ipsec.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/netipsec/ipsec.c
==============================================================================
--- stable/11/sys/netipsec/ipsec.c	Sun Jan 15 13:57:42 2017	(r312232)
+++ stable/11/sys/netipsec/ipsec.c	Sun Jan 15 15:43:19 2017	(r312233)
@@ -241,7 +241,7 @@ SYSCTL_VNET_PCPUSTAT(_net_inet6_ipsec6, 
 #endif /* INET6 */
 
 static int ipsec_in_reject(struct secpolicy *, const struct mbuf *);
-static int ipsec_setspidx_inpcb(const struct mbuf *, struct inpcb *);
+static int ipsec_setspidx_inpcb(const struct mbuf *, struct inpcb *, u_int);
 static int ipsec_setspidx(const struct mbuf *, struct secpolicyindex *, int);
 static void ipsec4_get_ulp(const struct mbuf *m, struct secpolicyindex *, int);
 static int ipsec4_setspidx_ipaddr(const struct mbuf *, struct secpolicyindex *);
@@ -344,7 +344,7 @@ ipsec_getpolicybysock(const struct mbuf 
 	}
 
 	/* Set spidx in pcb. */
-	*error = ipsec_setspidx_inpcb(m, inp);
+	*error = ipsec_setspidx_inpcb(m, inp, dir);
 	if (*error)
 		return (NULL);
 
@@ -501,8 +501,9 @@ ipsec4_checkpolicy(const struct mbuf *m,
 }
 
 static int
-ipsec_setspidx_inpcb(const struct mbuf *m, struct inpcb *inp)
+ipsec_setspidx_inpcb(const struct mbuf *m, struct inpcb *inp, u_int dir)
 {
+	struct secpolicyindex *spidx;
 	int error;
 
 	IPSEC_ASSERT(inp != NULL, ("null inp"));
@@ -510,11 +511,13 @@ ipsec_setspidx_inpcb(const struct mbuf *
 	IPSEC_ASSERT(inp->inp_sp->sp_out != NULL && inp->inp_sp->sp_in != NULL,
 		("null sp_in || sp_out"));
 
-	error = ipsec_setspidx(m, &inp->inp_sp->sp_in->spidx, 1);
+	if (dir == IPSEC_DIR_INBOUND)
+		spidx = &inp->inp_sp->sp_in->spidx;
+	else
+		spidx = &inp->inp_sp->sp_out->spidx;
+	error = ipsec_setspidx(m, spidx, 1);
 	if (error == 0) {
-		inp->inp_sp->sp_in->spidx.dir = IPSEC_DIR_INBOUND;
-		inp->inp_sp->sp_out->spidx = inp->inp_sp->sp_in->spidx;
-		inp->inp_sp->sp_out->spidx.dir = IPSEC_DIR_OUTBOUND;
+		spidx->dir = dir;
 	} else {
 		bzero(&inp->inp_sp->sp_in->spidx,
 			sizeof (inp->inp_sp->sp_in->spidx));