From: Herbert Xu <[EMAIL PROTECTED]> Date: Wed, 2 Apr 2008 20:40:24 +0800
> [ICMP]: Ensure that ICMP relookup maintains status quo > > The ICMP relookup path is only meant to modify behaviour when > appropriate IPsec policies are in place and marked as requiring > relookups. It is certainly not meant to modify behaviour when > IPsec policies don't exist at all. > > However, due to an oversight on the error paths existing behaviour > may in fact change should one of the relookup steps fail. > > This patch corrects this by redirecting all errors on relookup > failures to the previous code path. That is, if the initial > xfrm_lookup let the packet pass, we will stand by that decision > should the relookup fail due to an error. > > This should be safe from a security point-of-view because compliant > systems must install a default deny policy so the packet would'nt > have passed in that case. > > Many thanks to Julian Anastasov for pointing out this error. > > Signed-off-by: Herbert Xu <[EMAIL PROTECTED]> Applied, thanks Herbert. _______________________________________________ Devel mailing list [email protected] https://openvz.org/mailman/listinfo/devel
