svn commit: r275716 - in head/sys: netinet netinet6
Andrey V. Elsukov
ae at FreeBSD.org
Thu Dec 11 19:20:15 UTC 2014
Author: ae
Date: Thu Dec 11 19:20:13 2014
New Revision: 275716
URL: https://svnweb.freebsd.org/changeset/base/275716
Log:
Do not count security policy violation twice.
ipsec*_in_reject() do this by their own.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
Modified:
head/sys/netinet/sctp_input.c
head/sys/netinet/tcp_input.c
head/sys/netinet/udp_usrreq.c
head/sys/netinet6/raw_ip6.c
head/sys/netinet6/udp6_usrreq.c
Modified: head/sys/netinet/sctp_input.c
==============================================================================
--- head/sys/netinet/sctp_input.c Thu Dec 11 19:09:57 2014 (r275715)
+++ head/sys/netinet/sctp_input.c Thu Dec 11 19:20:13 2014 (r275716)
@@ -5698,7 +5698,6 @@ sctp_common_input_processing(struct mbuf
#ifdef INET
case AF_INET:
if (ipsec4_in_reject(m, &inp->ip_inp.inp)) {
- IPSECSTAT_INC(ips_in_polvio);
SCTP_STAT_INCR(sctps_hdrops);
goto out;
}
@@ -5707,7 +5706,6 @@ sctp_common_input_processing(struct mbuf
#ifdef INET6
case AF_INET6:
if (ipsec6_in_reject(m, &inp->ip_inp.inp)) {
- IPSEC6STAT_INC(ips_in_polvio);
SCTP_STAT_INCR(sctps_hdrops);
goto out;
}
Modified: head/sys/netinet/tcp_input.c
==============================================================================
--- head/sys/netinet/tcp_input.c Thu Dec 11 19:09:57 2014 (r275715)
+++ head/sys/netinet/tcp_input.c Thu Dec 11 19:20:13 2014 (r275716)
@@ -894,12 +894,10 @@ findpcb:
#ifdef IPSEC
#ifdef INET6
if (isipv6 && ipsec6_in_reject(m, inp)) {
- IPSEC6STAT_INC(ips_in_polvio);
goto dropunlock;
} else
#endif /* INET6 */
if (ipsec4_in_reject(m, inp) != 0) {
- IPSECSTAT_INC(ips_in_polvio);
goto dropunlock;
}
#endif /* IPSEC */
Modified: head/sys/netinet/udp_usrreq.c
==============================================================================
--- head/sys/netinet/udp_usrreq.c Thu Dec 11 19:09:57 2014 (r275715)
+++ head/sys/netinet/udp_usrreq.c Thu Dec 11 19:20:13 2014 (r275716)
@@ -323,7 +323,6 @@ udp_append(struct inpcb *inp, struct ip
/* Check AH/ESP integrity. */
if (ipsec4_in_reject(n, inp)) {
m_freem(n);
- IPSECSTAT_INC(ips_in_polvio);
return;
}
#ifdef IPSEC_NAT_T
Modified: head/sys/netinet6/raw_ip6.c
==============================================================================
--- head/sys/netinet6/raw_ip6.c Thu Dec 11 19:09:57 2014 (r275715)
+++ head/sys/netinet6/raw_ip6.c Thu Dec 11 19:20:13 2014 (r275716)
@@ -264,7 +264,6 @@ rip6_input(struct mbuf **mp, int *offp,
*/
if (n && ipsec6_in_reject(n, last)) {
m_freem(n);
- IPSEC6STAT_INC(ips_in_polvio);
/* Do not inject data into pcb. */
} else
#endif /* IPSEC */
@@ -296,7 +295,6 @@ rip6_input(struct mbuf **mp, int *offp,
*/
if ((last != NULL) && ipsec6_in_reject(m, last)) {
m_freem(m);
- IPSEC6STAT_INC(ips_in_polvio);
IP6STAT_DEC(ip6s_delivered);
/* Do not inject data into pcb. */
INP_RUNLOCK(last);
Modified: head/sys/netinet6/udp6_usrreq.c
==============================================================================
--- head/sys/netinet6/udp6_usrreq.c Thu Dec 11 19:09:57 2014 (r275715)
+++ head/sys/netinet6/udp6_usrreq.c Thu Dec 11 19:20:13 2014 (r275716)
@@ -158,7 +158,6 @@ udp6_append(struct inpcb *inp, struct mb
/* Check AH/ESP integrity. */
if (ipsec6_in_reject(n, inp)) {
m_freem(n);
- IPSEC6STAT_INC(ips_in_polvio);
return;
}
#endif /* IPSEC */
More information about the svn-src-all
mailing list