diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2023-08-22 15:39:02 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2023-08-22 18:30:11 +0000 |
| commit | 949491f2a6397f2514f8fcde1c7dc61bd82f201a (patch) | |
| tree | 5ebb40ec8e75ecd01f510e929d60df9f973d12cd | |
| parent | 9d6049d5da8ce70b3f815431bdedcee9c04f60cc (diff) | |
if_ovpn: clear mbuf flags on rx
When we receive a packet and remove the encapsulating layer we should
also clear out protocol flags and any mbuf tags.
If we do not we risk confusing firewalls filtering the tunneled packet.
See also: https://redmine.pfsense.org/issues/14682#change-69073
Sponsored by: Rubicon Communications, LLC ("Netgate")
| -rw-r--r-- | sys/net/if_ovpn.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c index a05b06f090e3..1b5d419fe58b 100644 --- a/sys/net/if_ovpn.c +++ b/sys/net/if_ovpn.c @@ -1548,6 +1548,10 @@ ovpn_finish_rx(struct ovpn_softc *sc, struct mbuf *m, /* Clear checksum flags in case the real hardware set them. */ m->m_pkthdr.csum_flags = 0; + /* Clear mbuf tags & flags */ + m_tag_delete_nonpersistent(m); + m_clrprotoflags(m); + /* Ensure we can read the first byte. */ m = m_pullup(m, 1); if (m == NULL) { |