Pass mbuf to pfil processing before stripping outer IP header as it

is described in if_enc(4). MFC after: 2 week Sponsored by: Yandex LLC
svn path=/head/; revision=274230
2014-11-07 12:05:20 +00:00 · 2014-11-07 12:05:20 +00:00 · b6e1ad3a3a · 2020-12-20 02:59:44 +00:00
commit b6e1ad3a3a
parent 20dc9e1740
1 changed files with 6 additions and 17 deletions
--- a/sys/netipsec/ipsec_input.c
+++ b/sys/netipsec/ipsec_input.c
@ -379,15 +379,10 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
 	if_inc_counter(encif, IFCOUNTER_IPACKETS, 1);
 	if_inc_counter(encif, IFCOUNTER_IBYTES, m->m_pkthdr.len);

-	/*
-	 * Pass the mbuf to enc0 for bpf and pfil. We will filter the IPIP
-	 * packet later after it has been decapsulated.
-	 */
+	/* Pass the mbuf to enc0 for bpf and pfil. */
 	ipsec_bpf(m, sav, AF_INET, ENC_IN|ENC_BEFORE);
-
-	if (prot != IPPROTO_IPIP)
-		if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0)
-			return (error);
+	if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0)
+		return (error);
 #endif /* DEV_ENC */

 	/* IP-in-IP encapsulation */
@ -683,16 +678,10 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
 	if_inc_counter(encif, IFCOUNTER_IPACKETS, 1);
 	if_inc_counter(encif, IFCOUNTER_IBYTES, m->m_pkthdr.len);

-	/*
-	 * Pass the mbuf to enc0 for bpf and pfil. We will filter the IPIP
-	 * packet later after it has been decapsulated.
-	 */
+	/* Pass the mbuf to enc0 for bpf and pfil. */
 	ipsec_bpf(m, sav, AF_INET6, ENC_IN|ENC_BEFORE);
-
-	/* XXX-BZ does not make sense. */
-	if (prot != IPPROTO_IPIP)
-		if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0)
-			return (error);
+	if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0)
+		return (error);
 #endif /* DEV_ENC */

 #ifdef INET