System wide policy should be returned when no policy found in the SPD.

The packet was rejected in ipsec[46]_tunnel_validate(). Obtained from: KAME MFC after: 1 week
2026-06-09 00:32:25 -04:00 · 2001-10-29 16:29:41 +00:00 · 2001-10-29 16:29:41 +00:00 · af109ffd14
commit af109ffd14
parent 142211755e
1 changed files with 26 additions and 0 deletions
--- a/sys/netkey/key.c
+++ b/sys/netkey/key.c
@ -570,6 +570,32 @@ key_gettunnel(osrc, odst, isrc, idst)
 	struct sockaddr *os, *od, *is, *id;
 	struct secpolicyindex spidx;

+	if (isrc->sa_family != idst->sa_family) {
+		printf("protocol family mismatched %d != %d\n.",
+		       isrc->sa_family, idst->sa_family);
+		return NULL;
+	}
+
+	/* if no SP found, use default policy. */
+	if (LIST_FIRST(&sptree[dir]) == NULL) {
+		switch (isrc->sa_family) {
+		case PF_INET:
+			if (ip4_def_policy.policy == IPSEC_POLICY_DISCARD)
+				return NULL;
+			ip4_def_policy.refcnt++;
+			return &ip4_def_policy;
+		case PF_INET6:
+			if (ip6_def_policy.policy == IPSEC_POLICY_DISCARD)
+				return NULL;
+			ip6_def_policy.refcnt++;
+			return &ip6_def_policy;
+		default:
+			printf("invalid protocol family %d\n.",
+			       isrc->sa_family);
+			return NULL;
+		}
+	}
+
 	s = splnet();	/*called from softclock()*/
 	LIST_FOREACH(sp, &sptree[dir], chain) {
 		if (sp->state == IPSEC_SPSTATE_DEAD)