For FAST_IPSEC, ipfilter gets to see wire-format IPsec-encapsulated packets

only. Decapsulated packets bypass ipfilter. This mimics current behaviour for Kame IPsec.
2003-11-24 20:54:59 +00:00 · 2003-11-24 20:54:59 +00:00 · fd11abcb03
parent 02de9dde31
commit fd11abcb03
2 changed files with 7 additions and 3 deletions
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ip_input.c,v 1.185 2003/11/19 22:40:55 fvdl Exp $	*/
+/*	$NetBSD: ip_input.c,v 1.186 2003/11/24 20:54:59 scw Exp $	*/

 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -98,7 +98,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.185 2003/11/19 22:40:55 fvdl Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.186 2003/11/24 20:54:59 scw Exp $");

 #include "opt_inet.h"
 #include "opt_gateway.h"
@ -588,6 +588,8 @@ ip_input(struct mbuf *m)
 	 */
 #ifdef IPSEC
 	if (!ipsec_getnhist(m))
+#elif defined(FAST_IPSEC)
+	if (!ipsec_indone(m))
 #else
 	if (1)
 #endif
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.h,v 1.3 2003/10/06 22:05:15 tls Exp $	*/
+/*	$NetBSD: ipsec.h,v 1.4 2003/11/24 20:54:59 scw Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/ipsec.h,v 1.2.4.1 2003/01/24 05:11:35 sam Exp $	*/
 /*	$KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $	*/

@ -411,6 +411,8 @@ extern int ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
 extern int ipsec4_process_packet __P((struct mbuf *, struct ipsecrequest *,
 			int, int));
 extern int ipsec_process_done __P((struct mbuf *, struct ipsecrequest *));
+#define ipsec_indone(m)	\
+	(m_tag_find((m), PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)

 extern struct mbuf *ipsec_copypkt __P((struct mbuf *));