git: 949491f2a639 - main - if_ovpn: clear mbuf flags on rx
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 22 Aug 2023 18:30:36 UTC
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=949491f2a6397f2514f8fcde1c7dc61bd82f201a commit 949491f2a6397f2514f8fcde1c7dc61bd82f201a Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2023-08-22 15:39:02 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2023-08-22 18:30:11 +0000 if_ovpn: clear mbuf flags on rx When we receive a packet and remove the encapsulating layer we should also clear out protocol flags and any mbuf tags. If we do not we risk confusing firewalls filtering the tunneled packet. See also: https://redmine.pfsense.org/issues/14682#change-69073 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/net/if_ovpn.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c index a05b06f090e3..1b5d419fe58b 100644 --- a/sys/net/if_ovpn.c +++ b/sys/net/if_ovpn.c @@ -1548,6 +1548,10 @@ ovpn_finish_rx(struct ovpn_softc *sc, struct mbuf *m, /* Clear checksum flags in case the real hardware set them. */ m->m_pkthdr.csum_flags = 0; + /* Clear mbuf tags & flags */ + m_tag_delete_nonpersistent(m); + m_clrprotoflags(m); + /* Ensure we can read the first byte. */ m = m_pullup(m, 1); if (m == NULL) {