ipsec: fix IPv6 over IPv4 tunneling.

Properly initialize setdf variable in ipsec_encap(). It is used for AF_INET6 case when IPv6 datagram is going to be encapsulated into IPv4 datagram. PR: 282535 Fixes: 4046178557 MFC after: 1 week
2026-01-16 23:02:24 +00:00 · 2024-11-25 20:42:00 +03:00 · 2024-11-25 20:42:00 +03:00 · c94d6389e4
commit c94d6389e4
parent 4d58cf6ff9
1 changed files with 4 additions and 10 deletions
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@ -1112,7 +1112,7 @@ ipsec_encap(struct mbuf **mp, struct secasindex *saidx)
 #endif
 	struct ip *ip;
 #ifdef INET
-	int setdf;
+	int setdf = V_ip4_ipsec_dfbit == 1 ? 1: 0;
 #endif
 	uint8_t itos, proto;

@ -1122,17 +1122,11 @@ ipsec_encap(struct mbuf **mp, struct secasindex *saidx)
 	case IPVERSION:
 		proto = IPPROTO_IPIP;
 		/*
-		 * Collect IP_DF state from the inner header
-		 * and honor system-wide control of how to handle it.
+		 * Copy IP_DF flag from the inner header if
+		 * system-wide control variable is greater than 1.
 		 */
-		switch (V_ip4_ipsec_dfbit) {
-		case 0:	/* clear in outer header */
-		case 1:	/* set in outer header */
-			setdf = V_ip4_ipsec_dfbit;
-			break;
-		default:/* propagate to outer header */
+		if (V_ip4_ipsec_dfbit > 1)
 			setdf = (ip->ip_off & htons(IP_DF)) != 0;
-		}
 		itos = ip->ip_tos;
 		break;
 #endif