- call ip6_output() instead of nd6_output() when ipsec tunnel

mode is applied, since tunneled packets are considered to be generated packets from a tunnel encapsulating node. - tunnel mode may not be applied if SA mode is ANY and policy does not say "tunnel it". check if we have extra IPv6 header on the packet after ipsec6_output_tunnel() and call ip6_output() only if additional IPv6 header is added. - free the copyed packet before returning. Obtained from: KAME
svn path=/head/; revision=126006
2004-02-19 14:57:22 +00:00 · 2004-02-19 14:57:22 +00:00 · 931282ced7 · 2020-12-20 02:59:44 +00:00
commit 931282ced7
parent 6babc58b2f
1 changed files with 21 additions and 3 deletions
--- a/sys/netinet6/ip6_forward.c
+++ b/sys/netinet6/ip6_forward.c
@ -267,10 +267,19 @@ ip6_forward(m, srcrt)
 	 *      ipsec esp/tunnel/xxx-xxx/require esp/transport//require;
 	 */
 	for (isr = sp->req; isr; isr = isr->next) {
-		if (isr->saidx.mode == IPSEC_MODE_TRANSPORT)
-			goto skip_ipsec;
+		if (isr->saidx.mode == IPSEC_MODE_ANY)
+			goto doipsectunnel;
+		if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
+			goto doipsectunnel;
 	}

+	/*
+	 * if there's no need for tunnel mode IPsec, skip.
+	 */
+	if (!isr)
+		goto skip_ipsec;
+
+    doipsectunnel:
 	/*
 	 * All the extension headers will become inaccessible
 	 * (since they can be encrypted).
@ -317,8 +326,17 @@ ip6_forward(m, srcrt)
 		return;
 	}

+	if (ip6 != mtod(m, struct ip6_hdr *)) {
+		/*
+		 * now tunnel mode headers are added.  we are originating
+		 * packet instead of forwarding the packet.
+		 */
+		ip6_output(m, NULL, NULL, IPV6_FORWARDING/*XXX*/, NULL, NULL,
+		    NULL);
+		goto freecopy;
+	}
+
 	/* adjust pointer */
-	ip6 = mtod(m, struct ip6_hdr *);
 	dst = (struct sockaddr_in6 *)state.dst;
 	rt = state.ro ? state.ro->ro_rt : NULL;
 	if (dst != NULL && rt != NULL)