Author: ae
Date: Thu Dec 11 19:20:13 2014
New Revision: 275716
URL: https://svnweb.freebsd.org/changeset/base/275716

Log:
  Do not count security policy violation twice.
  ipsec*_in_reject() do this by their own.
  
  Obtained from:        Yandex LLC
  Sponsored by: Yandex LLC

Modified:
  head/sys/netinet/sctp_input.c
  head/sys/netinet/tcp_input.c
  head/sys/netinet/udp_usrreq.c
  head/sys/netinet6/raw_ip6.c
  head/sys/netinet6/udp6_usrreq.c

Modified: head/sys/netinet/sctp_input.c
==============================================================================
--- head/sys/netinet/sctp_input.c       Thu Dec 11 19:09:57 2014        
(r275715)
+++ head/sys/netinet/sctp_input.c       Thu Dec 11 19:20:13 2014        
(r275716)
@@ -5698,7 +5698,6 @@ sctp_common_input_processing(struct mbuf
 #ifdef INET
                case AF_INET:
                        if (ipsec4_in_reject(m, &inp->ip_inp.inp)) {
-                               IPSECSTAT_INC(ips_in_polvio);
                                SCTP_STAT_INCR(sctps_hdrops);
                                goto out;
                        }
@@ -5707,7 +5706,6 @@ sctp_common_input_processing(struct mbuf
 #ifdef INET6
                case AF_INET6:
                        if (ipsec6_in_reject(m, &inp->ip_inp.inp)) {
-                               IPSEC6STAT_INC(ips_in_polvio);
                                SCTP_STAT_INCR(sctps_hdrops);
                                goto out;
                        }

Modified: head/sys/netinet/tcp_input.c
==============================================================================
--- head/sys/netinet/tcp_input.c        Thu Dec 11 19:09:57 2014        
(r275715)
+++ head/sys/netinet/tcp_input.c        Thu Dec 11 19:20:13 2014        
(r275716)
@@ -894,12 +894,10 @@ findpcb:
 #ifdef IPSEC
 #ifdef INET6
        if (isipv6 && ipsec6_in_reject(m, inp)) {
-               IPSEC6STAT_INC(ips_in_polvio);
                goto dropunlock;
        } else
 #endif /* INET6 */
        if (ipsec4_in_reject(m, inp) != 0) {
-               IPSECSTAT_INC(ips_in_polvio);
                goto dropunlock;
        }
 #endif /* IPSEC */

Modified: head/sys/netinet/udp_usrreq.c
==============================================================================
--- head/sys/netinet/udp_usrreq.c       Thu Dec 11 19:09:57 2014        
(r275715)
+++ head/sys/netinet/udp_usrreq.c       Thu Dec 11 19:20:13 2014        
(r275716)
@@ -323,7 +323,6 @@ udp_append(struct inpcb *inp, struct ip 
        /* Check AH/ESP integrity. */
        if (ipsec4_in_reject(n, inp)) {
                m_freem(n);
-               IPSECSTAT_INC(ips_in_polvio);
                return;
        }
 #ifdef IPSEC_NAT_T

Modified: head/sys/netinet6/raw_ip6.c
==============================================================================
--- head/sys/netinet6/raw_ip6.c Thu Dec 11 19:09:57 2014        (r275715)
+++ head/sys/netinet6/raw_ip6.c Thu Dec 11 19:20:13 2014        (r275716)
@@ -264,7 +264,6 @@ rip6_input(struct mbuf **mp, int *offp, 
                         */
                        if (n && ipsec6_in_reject(n, last)) {
                                m_freem(n);
-                               IPSEC6STAT_INC(ips_in_polvio);
                                /* Do not inject data into pcb. */
                        } else
 #endif /* IPSEC */
@@ -296,7 +295,6 @@ rip6_input(struct mbuf **mp, int *offp, 
         */
        if ((last != NULL) && ipsec6_in_reject(m, last)) {
                m_freem(m);
-               IPSEC6STAT_INC(ips_in_polvio);
                IP6STAT_DEC(ip6s_delivered);
                /* Do not inject data into pcb. */
                INP_RUNLOCK(last);

Modified: head/sys/netinet6/udp6_usrreq.c
==============================================================================
--- head/sys/netinet6/udp6_usrreq.c     Thu Dec 11 19:09:57 2014        
(r275715)
+++ head/sys/netinet6/udp6_usrreq.c     Thu Dec 11 19:20:13 2014        
(r275716)
@@ -158,7 +158,6 @@ udp6_append(struct inpcb *inp, struct mb
        /* Check AH/ESP integrity. */
        if (ipsec6_in_reject(n, inp)) {
                m_freem(n);
-               IPSEC6STAT_INC(ips_in_polvio);
                return;
        }
 #endif /* IPSEC */
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to