[XFRM]
Many cheap ipsec appliences don't check the Next Header ESP field.
This is not correct according to the RFC's and Linux rightfully does check the
field.
The problem is that some appliences also don't set this value correctly to 4
(IP on IP),
they leave it on 0.
The following patch prevents Linux from silently dropping these incorrect ESP
packets, and
lets the rest of the code do the sanity check. (checking ip header length, etc.)
I believe Linux should not be too strict on this field, as long as no other
protocols
are supported in the payload.
Do you guys agree that Linux is too strict here? Maybe some sort of warning
system could be put in place here?
Signed-off-by: Ludo Stellingwerff <[EMAIL PROTECTED]>
---
net/ipv4/xfrm4_input.c | 2 --
1 files changed, 2 deletions(-)
--- kernel-source-2.6.11/net/ipv4/xfrm4_input.c 2005-03-02 08:37:48.000000000
+0100
+++ new/net/ipv4/xfrm4_input.c 2005-08-19 10:58:46.389587780 +0200
@@ -97,8 +97,6 @@
iph = skb->nh.iph;
if (x->props.mode) {
- if (iph->protocol != IPPROTO_IPIP)
- goto drop;
if (!pskb_may_pull(skb, sizeof(struct iphdr)))
goto drop;
if (skb_cloned(skb) &&
