For FAST_IPSEC, ipfilter gets to see wire-format IPsec-encapsulated packets

only. Decapsulated packets bypass ipfilter. This mimics current behaviour
for Kame IPsec.
This commit is contained in:
scw 2003-11-24 20:54:59 +00:00
parent 02de9dde31
commit fd11abcb03
2 changed files with 7 additions and 3 deletions

View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_input.c,v 1.185 2003/11/19 22:40:55 fvdl Exp $ */
/* $NetBSD: ip_input.c,v 1.186 2003/11/24 20:54:59 scw Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -98,7 +98,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.185 2003/11/19 22:40:55 fvdl Exp $");
__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.186 2003/11/24 20:54:59 scw Exp $");
#include "opt_inet.h"
#include "opt_gateway.h"
@ -588,6 +588,8 @@ ip_input(struct mbuf *m)
*/
#ifdef IPSEC
if (!ipsec_getnhist(m))
#elif defined(FAST_IPSEC)
if (!ipsec_indone(m))
#else
if (1)
#endif

View File

@ -1,4 +1,4 @@
/* $NetBSD: ipsec.h,v 1.3 2003/10/06 22:05:15 tls Exp $ */
/* $NetBSD: ipsec.h,v 1.4 2003/11/24 20:54:59 scw Exp $ */
/* $FreeBSD: src/sys/netipsec/ipsec.h,v 1.2.4.1 2003/01/24 05:11:35 sam Exp $ */
/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
@ -411,6 +411,8 @@ extern int ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
extern int ipsec4_process_packet __P((struct mbuf *, struct ipsecrequest *,
int, int));
extern int ipsec_process_done __P((struct mbuf *, struct ipsecrequest *));
#define ipsec_indone(m) \
(m_tag_find((m), PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
extern struct mbuf *ipsec_copypkt __P((struct mbuf *));