git: 949491f2a639 - main - if_ovpn: clear mbuf flags on rx
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 22 Aug 2023 18:30:36 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=949491f2a6397f2514f8fcde1c7dc61bd82f201a
commit 949491f2a6397f2514f8fcde1c7dc61bd82f201a
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2023-08-22 15:39:02 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2023-08-22 18:30:11 +0000
if_ovpn: clear mbuf flags on rx
When we receive a packet and remove the encapsulating layer we should
also clear out protocol flags and any mbuf tags.
If we do not we risk confusing firewalls filtering the tunneled packet.
See also: https://redmine.pfsense.org/issues/14682#change-69073
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/net/if_ovpn.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c
index a05b06f090e3..1b5d419fe58b 100644
--- a/sys/net/if_ovpn.c
+++ b/sys/net/if_ovpn.c
@@ -1548,6 +1548,10 @@ ovpn_finish_rx(struct ovpn_softc *sc, struct mbuf *m,
/* Clear checksum flags in case the real hardware set them. */
m->m_pkthdr.csum_flags = 0;
+ /* Clear mbuf tags & flags */
+ m_tag_delete_nonpersistent(m);
+ m_clrprotoflags(m);
+
/* Ensure we can read the first byte. */
m = m_pullup(m, 1);
if (m == NULL) {