Patrick McHardy wrote:

> Thanks, I didn't know pluto uses the xfrm_user interface, so
> I only looked for pfkey symbolic names. So it seems only racoon
> needs to be fixed. I think we should apply the attached patch
> to make xfrm_policy_check reject packets decapsulated by IPsec
> without a policy for this direction, so people will notice
> something is wrong. It also prevents skipping checks against the
> socket policy if there is an empty policy list .. or am I missing
> something ?

Obsiously I did :) This patch should be better.

> Regards
> Patrick
>
>--- a/include/net/xfrm.h	2004-10-18 00:15:18 +02:00
>+++ b/include/net/xfrm.h	2004-10-18 00:15:18 +02:00
>@@ -601,7 +601,7 @@
> 	if (sk && sk->sk_policy[XFRM_POLICY_IN])
> 		return __xfrm_policy_check(sk, dir, skb, family);
> 		
>-	return	!xfrm_policy_list[dir] ||
>+	return	((!sk || !sk->sk_policy[dir]) && !xfrm_policy_list[dir] && !skb->sp) ||
> 		(skb->dst->flags & DST_NOPOLICY) ||
> 		__xfrm_policy_check(sk, dir, skb, family);
> }
>  
>