From owner-svn-src-projects@freebsd.org  Tue Dec 13 22:40:11 2016
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 21ED0C7624A
 for <svn-src-projects@mailman.ysv.freebsd.org>;
 Tue, 13 Dec 2016 22:40:11 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id E60011B16;
 Tue, 13 Dec 2016 22:40:10 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBDMeApq064313;
 Tue, 13 Dec 2016 22:40:10 GMT (envelope-from ae@FreeBSD.org)
Received: (from ae@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBDMeAfP064312;
 Tue, 13 Dec 2016 22:40:10 GMT (envelope-from ae@FreeBSD.org)
Message-Id: <201612132240.uBDMeAfP064312@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org
 using -f
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Date: Tue, 13 Dec 2016 22:40:10 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r310039 - projects/ipsec/sys/netipsec
X-SVN-Group: projects
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "SVN commit messages for the src &quot; projects&quot;
 tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Dec 2016 22:40:11 -0000

Author: ae
Date: Tue Dec 13 22:40:09 2016
New Revision: 310039
URL: https://svnweb.freebsd.org/changeset/base/310039

Log:
  Fix the problem with SP PCB cache.
  
  tcp_input() uses ipsec[46]_in_reject() to check mbuf agaist inbound
  security policies. We use SP PCB cache to store result of policy lookup
  in the given inpcb. If inpcb belongs to listening socket that is bound
  to ANY address, the lookup result for another connection may differs.
  Thus cached policy will prevent another connection establishing.
  
  Store inbound policy in the cache only if local address in PCB isn't
  equal to INADDR_ANY.

Modified:
  projects/ipsec/sys/netipsec/ipsec.c

Modified: projects/ipsec/sys/netipsec/ipsec.c
==============================================================================
--- projects/ipsec/sys/netipsec/ipsec.c	Tue Dec 13 22:31:49 2016	(r310038)
+++ projects/ipsec/sys/netipsec/ipsec.c	Tue Dec 13 22:40:09 2016	(r310039)
@@ -1349,9 +1349,15 @@ ipsec_in_reject(struct secpolicy *sp, st
 
 	if (inp != NULL &&
 	    (inp->inp_sp->flags & INP_INBOUND_POLICY) == 0 &&
-	    inp->inp_sp->sp_in == NULL) {
+	    inp->inp_sp->sp_in == NULL &&
+	    inp->inp_laddr.s_addr != INADDR_ANY) {
 		/*
 		 * Save found INBOUND policy into PCB SP cache.
+		 * NOTE: We do this only if local address isn't INADDR_ANY,
+		 * because a cached policy for listen socket, that bound to
+		 * ANY address, may prevent to establish another connection.
+		 * We don't check address family, since both INADDR_ANY and
+		 * UNSPECIFIED IPv6 address contains all zeroes.
 		 */
 		genid = key_getspgen();
 		inp->inp_sp->sp_in = sp;