Date: Tue, 13 Dec 2016 22:40:10 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310039 - projects/ipsec/sys/netipsec Message-ID: <201612132240.uBDMeAfP064312@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Tue Dec 13 22:40:09 2016 New Revision: 310039 URL: https://svnweb.freebsd.org/changeset/base/310039 Log: Fix the problem with SP PCB cache. tcp_input() uses ipsec[46]_in_reject() to check mbuf agaist inbound security policies. We use SP PCB cache to store result of policy lookup in the given inpcb. If inpcb belongs to listening socket that is bound to ANY address, the lookup result for another connection may differs. Thus cached policy will prevent another connection establishing. Store inbound policy in the cache only if local address in PCB isn't equal to INADDR_ANY. Modified: projects/ipsec/sys/netipsec/ipsec.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Tue Dec 13 22:31:49 2016 (r310038) +++ projects/ipsec/sys/netipsec/ipsec.c Tue Dec 13 22:40:09 2016 (r310039) @@ -1349,9 +1349,15 @@ ipsec_in_reject(struct secpolicy *sp, st if (inp != NULL && (inp->inp_sp->flags & INP_INBOUND_POLICY) == 0 && - inp->inp_sp->sp_in == NULL) { + inp->inp_sp->sp_in == NULL && + inp->inp_laddr.s_addr != INADDR_ANY) { /* * Save found INBOUND policy into PCB SP cache. + * NOTE: We do this only if local address isn't INADDR_ANY, + * because a cached policy for listen socket, that bound to + * ANY address, may prevent to establish another connection. + * We don't check address family, since both INADDR_ANY and + * UNSPECIFIED IPv6 address contains all zeroes. */ genid = key_getspgen(); inp->inp_sp->sp_in = sp;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201612132240.uBDMeAfP064312>