The branch stable/14 has been updated by ae:
URL:
https://cgit.FreeBSD.org/src/commit/?id=628e76a986b9621199e77730eebfdb8e0e43c945
commit 628e76a986b9621199e77730eebfdb8e0e43c945
Author: Andrey V. Elsukov <a...@freebsd.org>
AuthorDate: 2024-11-25 17:42:00 +0000
Commit: Andrey V. Elsukov <a...@freebsd.org>
CommitDate: 2024-12-02 10:24:03 +0000
ipsec: fix IPv6 over IPv4 tunneling.
Properly initialize setdf variable in ipsec_encap().
It is used for AF_INET6 case when IPv6 datagram is going to be
encapsulated into IPv4 datagram.
PR: 282535
Fixes: 4046178557e1
(cherry picked from commit c94d6389e428fac55946bfcdbbc3162c06a9278e)
---
sys/netipsec/ipsec_output.c | 14 ++++----------
1 file changed, 4 insertions(+), 10 deletions(-)
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
index caf3c3f74433..ebff5ee5adc7 100644
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@@ -1083,7 +1083,7 @@ ipsec_encap(struct mbuf **mp, struct secasindex *saidx)
#endif
struct ip *ip;
#ifdef INET
- int setdf;
+ int setdf = V_ip4_ipsec_dfbit == 1 ? 1: 0;
#endif
uint8_t itos, proto;
@@ -1093,17 +1093,11 @@ ipsec_encap(struct mbuf **mp, struct secasindex *saidx)
case IPVERSION:
proto = IPPROTO_IPIP;
/*
- * Collect IP_DF state from the inner header
- * and honor system-wide control of how to handle it.
+ * Copy IP_DF flag from the inner header if
+ * system-wide control variable is greater than 1.
*/
- switch (V_ip4_ipsec_dfbit) {
- case 0: /* clear in outer header */
- case 1: /* set in outer header */
- setdf = V_ip4_ipsec_dfbit;
- break;
- default:/* propagate to outer header */
+ if (V_ip4_ipsec_dfbit > 1)
setdf = (ip->ip_off & htons(IP_DF)) != 0;
- }
itos = ip->ip_tos;
break;
#endif
