git: 949491f2a639 - main - if_ovpn: clear mbuf flags on rx

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Tue, 22 Aug 2023 18:30:36 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=949491f2a6397f2514f8fcde1c7dc61bd82f201a

commit 949491f2a6397f2514f8fcde1c7dc61bd82f201a
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2023-08-22 15:39:02 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2023-08-22 18:30:11 +0000

    if_ovpn: clear mbuf flags on rx
    
    When we receive a packet and remove the encapsulating layer we should
    also clear out protocol flags and any mbuf tags.
    
    If we do not we risk confusing firewalls filtering the tunneled packet.
    
    See also:       https://redmine.pfsense.org/issues/14682#change-69073
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/net/if_ovpn.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c
index a05b06f090e3..1b5d419fe58b 100644
--- a/sys/net/if_ovpn.c
+++ b/sys/net/if_ovpn.c
@@ -1548,6 +1548,10 @@ ovpn_finish_rx(struct ovpn_softc *sc, struct mbuf *m,
 	/* Clear checksum flags in case the real hardware set them. */
 	m->m_pkthdr.csum_flags = 0;
 
+	/* Clear mbuf tags & flags */
+	m_tag_delete_nonpersistent(m);
+	m_clrprotoflags(m);
+
 	/* Ensure we can read the first byte. */
 	m = m_pullup(m, 1);
 	if (m == NULL) {