From fd11abcb03f60e8e8f6e80de8fb55f2b82e03ed5 Mon Sep 17 00:00:00 2001 From: scw Date: Mon, 24 Nov 2003 20:54:59 +0000 Subject: [PATCH] For FAST_IPSEC, ipfilter gets to see wire-format IPsec-encapsulated packets only. Decapsulated packets bypass ipfilter. This mimics current behaviour for Kame IPsec. --- sys/netinet/ip_input.c | 6 ++++-- sys/netipsec/ipsec.h | 4 +++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index cd37eb110957..e9807799f605 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1,4 +1,4 @@ -/* $NetBSD: ip_input.c,v 1.185 2003/11/19 22:40:55 fvdl Exp $ */ +/* $NetBSD: ip_input.c,v 1.186 2003/11/24 20:54:59 scw Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -98,7 +98,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.185 2003/11/19 22:40:55 fvdl Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.186 2003/11/24 20:54:59 scw Exp $"); #include "opt_inet.h" #include "opt_gateway.h" @@ -588,6 +588,8 @@ ip_input(struct mbuf *m) */ #ifdef IPSEC if (!ipsec_getnhist(m)) +#elif defined(FAST_IPSEC) + if (!ipsec_indone(m)) #else if (1) #endif diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h index e108d9170e7b..98fbdb7e8697 100644 --- a/sys/netipsec/ipsec.h +++ b/sys/netipsec/ipsec.h @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.h,v 1.3 2003/10/06 22:05:15 tls Exp $ */ +/* $NetBSD: ipsec.h,v 1.4 2003/11/24 20:54:59 scw Exp $ */ /* $FreeBSD: src/sys/netipsec/ipsec.h,v 1.2.4.1 2003/01/24 05:11:35 sam Exp $ */ /* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */ @@ -411,6 +411,8 @@ extern int ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, extern int ipsec4_process_packet __P((struct mbuf *, struct ipsecrequest *, int, int)); extern int ipsec_process_done __P((struct mbuf *, struct ipsecrequest *)); +#define ipsec_indone(m) \ + (m_tag_find((m), PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) extern struct mbuf *ipsec_copypkt __P((struct mbuf *));