[src/trunk]: src/sys Add the PR_LASTHDR flag on the PFsync and CARP entries. ...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/f3f06e47ad9d
branches:  trunk
changeset: 360525:f3f06e47ad9d
user:      maxv <maxv%NetBSD.org@localhost>
date:      Thu Mar 15 08:15:21 2018 +0000

description:
Add the PR_LASTHDR flag on the PFsync and CARP entries. Otherwise a
"require" IPsec policy is not enforced on them, and unauthenticated
packets will be accepted.

Tested with a require-AH configuration. Sent on tech-net@, no comment.

diffstat:

 sys/netinet/in_proto.c   |  8 ++++----
 sys/netinet6/in6_proto.c |  6 +++---
 2 files changed, 7 insertions(+), 7 deletions(-)

diffs (63 lines):

diff -r 0ea3509ccd1e -r f3f06e47ad9d sys/netinet/in_proto.c
--- a/sys/netinet/in_proto.c    Thu Mar 15 06:48:51 2018 +0000
+++ b/sys/netinet/in_proto.c    Thu Mar 15 08:15:21 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: in_proto.c,v 1.126 2018/02/05 08:38:06 maxv Exp $      */
+/*     $NetBSD: in_proto.c,v 1.127 2018/03/15 08:15:21 maxv Exp $      */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -61,7 +61,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in_proto.c,v 1.126 2018/02/05 08:38:06 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in_proto.c,v 1.127 2018/03/15 08:15:21 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_mrouting.h"
@@ -432,7 +432,7 @@
 {      .pr_type = SOCK_RAW,
        .pr_domain = &inetdomain,
        .pr_protocol = IPPROTO_CARP,
-       .pr_flags = PR_ATOMIC|PR_ADDR,
+       .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR,
        .pr_input = carp_proto_input,
        .pr_ctloutput = rip_ctloutput,
        .pr_usrreqs = &rip_usrreqs,
@@ -453,7 +453,7 @@
 {      .pr_type = SOCK_RAW,
        .pr_domain = &inetdomain,
        .pr_protocol = IPPROTO_PFSYNC,
-       .pr_flags        = PR_ATOMIC|PR_ADDR,
+       .pr_flags        = PR_ATOMIC|PR_ADDR|PR_LASTHDR,
        .pr_input        = pfsync_input,
        .pr_ctloutput = rip_ctloutput,
        .pr_usrreqs      = &rip_usrreqs,
diff -r 0ea3509ccd1e -r f3f06e47ad9d sys/netinet6/in6_proto.c
--- a/sys/netinet6/in6_proto.c  Thu Mar 15 06:48:51 2018 +0000
+++ b/sys/netinet6/in6_proto.c  Thu Mar 15 08:15:21 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: in6_proto.c,v 1.121 2018/02/07 10:52:20 maxv Exp $     */
+/*     $NetBSD: in6_proto.c,v 1.122 2018/03/15 08:15:21 maxv Exp $     */
 /*     $KAME: in6_proto.c,v 1.66 2000/10/10 15:35:47 itojun Exp $      */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in6_proto.c,v 1.121 2018/02/07 10:52:20 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in6_proto.c,v 1.122 2018/03/15 08:15:21 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_gateway.h"
@@ -452,7 +452,7 @@
 {      .pr_type = SOCK_RAW,
        .pr_domain = &inet6domain,
        .pr_protocol = IPPROTO_CARP,
-       .pr_flags = PR_ATOMIC|PR_ADDR,
+       .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR,
        .pr_input = carp6_proto_input,
        .pr_ctloutput = rip6_ctloutput,
        .pr_usrreqs = &rip6_usrreqs,