Herbert Xu wrote:

>On Sun, Oct 17, 2004 at 05:48:11PM +0200, Patrick McHardy wrote:
>  
>
>>currently forwarded packets from a tunnel mode SA are checked
>>in ip_forward/ip6_forward against the XFRM_POLICY_FWD policy
>>list. Neither racoon nor pluto generate a policy for
>>IPSEC_DIR_FWD, so the checks are performed against an empty
>>    
>>
>
>Actually I made damn sure that pluto does generate rules for
>IPSEC_DIR_FWD after discussing it with Alexey :) Search for
>XFRM_POLICY_FWD in openswan/programs/pluto.
>  
>
Thanks, I didn't know pluto uses the xfrm_user interface, so
I only looked for pfkey symbolic names. So it seems only racoon
needs to be fixed. I think we should apply the attached patch
to make xfrm_policy_check reject packets decapsulated by IPsec
without a policy for this direction, so people will notice
something is wrong. It also prevents skipping checks against the
socket policy if there is an empty policy list .. or am I missing
something ?

Regards
Patrick