when ipsec tunnel mode is applied, we are originating packet (instead of
forwarding). go to ip6_output() path for fragmentation and other processing. from kame
This commit is contained in:
parent
23884e8622
commit
cdaa27b23a
|
@ -1,4 +1,4 @@
|
||||||
/* $NetBSD: ip6_forward.c,v 1.40 2003/10/29 10:12:43 mycroft Exp $ */
|
/* $NetBSD: ip6_forward.c,v 1.41 2004/01/16 05:12:08 itojun Exp $ */
|
||||||
/* $KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $ */
|
/* $KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -31,7 +31,7 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.40 2003/10/29 10:12:43 mycroft Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.41 2004/01/16 05:12:08 itojun Exp $");
|
||||||
|
|
||||||
#include "opt_ipsec.h"
|
#include "opt_ipsec.h"
|
||||||
#include "opt_pfil_hooks.h"
|
#include "opt_pfil_hooks.h"
|
||||||
|
@ -250,10 +250,19 @@ ip6_forward(m, srcrt)
|
||||||
* ipsec esp/tunnel/xxx-xxx/require esp/transport//require;
|
* ipsec esp/tunnel/xxx-xxx/require esp/transport//require;
|
||||||
*/
|
*/
|
||||||
for (isr = sp->req; isr; isr = isr->next) {
|
for (isr = sp->req; isr; isr = isr->next) {
|
||||||
if (isr->saidx.mode == IPSEC_MODE_TRANSPORT)
|
if (isr->saidx.mode == IPSEC_MODE_ANY)
|
||||||
goto skip_ipsec;
|
goto doipsectunnel;
|
||||||
|
if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
|
||||||
|
goto doipsectunnel;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* if there's no need for tunnel mode IPsec, skip.
|
||||||
|
*/
|
||||||
|
if (!isr)
|
||||||
|
goto skip_ipsec;
|
||||||
|
|
||||||
|
doipsectunnel:
|
||||||
/*
|
/*
|
||||||
* All the extension headers will become inaccessible
|
* All the extension headers will become inaccessible
|
||||||
* (since they can be encrypted).
|
* (since they can be encrypted).
|
||||||
|
@ -300,8 +309,17 @@ ip6_forward(m, srcrt)
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (ip6 != mtod(m, struct ip6_hdr *)) {
|
||||||
|
/*
|
||||||
|
* now tunnel mode headers are added. we are originating
|
||||||
|
* packet instead of forwarding the packet.
|
||||||
|
*/
|
||||||
|
ip6_output(m, NULL, NULL, IPV6_FORWARDING/*XXX*/, NULL, NULL,
|
||||||
|
NULL);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
/* adjust pointer */
|
/* adjust pointer */
|
||||||
ip6 = mtod(m, struct ip6_hdr *);
|
|
||||||
rt = state.ro ? state.ro->ro_rt : NULL;
|
rt = state.ro ? state.ro->ro_rt : NULL;
|
||||||
dst = (struct sockaddr_in6 *)state.dst;
|
dst = (struct sockaddr_in6 *)state.dst;
|
||||||
if (dst != NULL && rt != NULL) {
|
if (dst != NULL && rt != NULL) {
|
||||||
|
|
Loading…
Reference in New Issue