For FAST_IPSEC, ipfilter gets to see wire-format IPsec-encapsulated packets
only. Decapsulated packets bypass ipfilter. This mimics current behaviour for Kame IPsec.
This commit is contained in:
parent
02de9dde31
commit
fd11abcb03
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ip_input.c,v 1.185 2003/11/19 22:40:55 fvdl Exp $ */
|
||||
/* $NetBSD: ip_input.c,v 1.186 2003/11/24 20:54:59 scw Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -98,7 +98,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.185 2003/11/19 22:40:55 fvdl Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.186 2003/11/24 20:54:59 scw Exp $");
|
||||
|
||||
#include "opt_inet.h"
|
||||
#include "opt_gateway.h"
|
||||
@ -588,6 +588,8 @@ ip_input(struct mbuf *m)
|
||||
*/
|
||||
#ifdef IPSEC
|
||||
if (!ipsec_getnhist(m))
|
||||
#elif defined(FAST_IPSEC)
|
||||
if (!ipsec_indone(m))
|
||||
#else
|
||||
if (1)
|
||||
#endif
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ipsec.h,v 1.3 2003/10/06 22:05:15 tls Exp $ */
|
||||
/* $NetBSD: ipsec.h,v 1.4 2003/11/24 20:54:59 scw Exp $ */
|
||||
/* $FreeBSD: src/sys/netipsec/ipsec.h,v 1.2.4.1 2003/01/24 05:11:35 sam Exp $ */
|
||||
/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
|
||||
|
||||
@ -411,6 +411,8 @@ extern int ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
|
||||
extern int ipsec4_process_packet __P((struct mbuf *, struct ipsecrequest *,
|
||||
int, int));
|
||||
extern int ipsec_process_done __P((struct mbuf *, struct ipsecrequest *));
|
||||
#define ipsec_indone(m) \
|
||||
(m_tag_find((m), PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
|
||||
|
||||
extern struct mbuf *ipsec_copypkt __P((struct mbuf *));
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user