Module Name: src
Committed By: drochner
Date: Thu Feb 10 20:42:30 UTC 2011
Modified Files:
src/sys/netipsec: ipsec_output.c
Log Message:
in rev.1.192 of ip_output.c the semantics of ip_output() was changed:
Before, setting the IP_RAWOUTPUT flag did imply that the ip_id
(the fragmentation thing) was used as-is.
Now, a new ID is diced unless the new IP_NOIPNEWID flag is set.
The ip_id is part of the data which are used to calculate the hash
for AH, so set the IP_NOIPNEWID flag to make sure the IP header
is not modified behind AH's back. Otherwise, the recipient will detect
a checksum mismatch and discard the packet.
To generate a diff of this commit:
cvs rdiff -u -r1.30 -r1.31 src/sys/netipsec/ipsec_output.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/ipsec_output.c
diff -u src/sys/netipsec/ipsec_output.c:1.30 src/sys/netipsec/ipsec_output.c:1.31
--- src/sys/netipsec/ipsec_output.c:1.30 Thu Feb 10 20:24:27 2011
+++ src/sys/netipsec/ipsec_output.c Thu Feb 10 20:42:30 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_output.c,v 1.30 2011/02/10 20:24:27 drochner Exp $ */
+/* $NetBSD: ipsec_output.c,v 1.31 2011/02/10 20:42:30 drochner Exp $ */
/*-
* Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.30 2011/02/10 20:24:27 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.31 2011/02/10 20:42:30 drochner Exp $");
/*
* IPsec output processing.
@@ -137,7 +137,7 @@
ip->ip_off = ntohs(ip->ip_off);
#endif /* __FreeBSD_ */
KERNEL_LOCK(1, NULL);
- rv = ip_output(m, NULL, NULL, IP_RAWOUTPUT,
+ rv = ip_output(m, NULL, NULL, IP_RAWOUTPUT|IP_NOIPNEWID,
(struct ip_moptions *)NULL, (struct socket *)NULL);
KERNEL_UNLOCK_ONE(NULL);
return rv;
