git: c94d6389e428 - main - ipsec: fix IPv6 over IPv4 tunneling.

The branch main has been updated by ae:

URL: https://cgit.FreeBSD.org/src/commit/?id=c94d6389e428fac55946bfcdbbc3162c06a9278e

commit c94d6389e428fac55946bfcdbbc3162c06a9278e
Author:     Andrey V. Elsukov <ae@FreeBSD.org>
AuthorDate: 2024-11-25 17:42:00 +0000
Commit:     Andrey V. Elsukov <ae@FreeBSD.org>
CommitDate: 2024-11-25 17:42:00 +0000

    ipsec: fix IPv6 over IPv4 tunneling.
    
    Properly initialize setdf variable in ipsec_encap().
    It is used for AF_INET6 case when IPv6 datagram is going to be
    encapsulated into IPv4 datagram.
    
    PR:             282535
    Fixes:          4046178557e1
    MFC after:      1 week
---
 sys/netipsec/ipsec_output.c | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
index 10f1728f72ac..73a32c71fffc 100644
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@@ -1112,7 +1112,7 @@ ipsec_encap(struct mbuf **mp, struct secasindex *saidx)
 #endif
 	struct ip *ip;
 #ifdef INET
-	int setdf;
+	int setdf = V_ip4_ipsec_dfbit == 1 ? 1: 0;
 #endif
 	uint8_t itos, proto;
 
@@ -1122,17 +1122,11 @@ ipsec_encap(struct mbuf **mp, struct secasindex *saidx)
 	case IPVERSION:
 		proto = IPPROTO_IPIP;
 		/*
-		 * Collect IP_DF state from the inner header
-		 * and honor system-wide control of how to handle it.
+		 * Copy IP_DF flag from the inner header if
+		 * system-wide control variable is greater than 1.
 		 */
-		switch (V_ip4_ipsec_dfbit) {
-		case 0:	/* clear in outer header */
-		case 1:	/* set in outer header */
-			setdf = V_ip4_ipsec_dfbit;
-			break;
-		default:/* propagate to outer header */
+		if (V_ip4_ipsec_dfbit > 1)
 			setdf = (ip->ip_off & htons(IP_DF)) != 0;
-		}
 		itos = ip->ip_tos;
 		break;
 #endif