Add the missing call to ip6_ipsec_filtertunnel() to be able to control

whether decapsulated IPsec packets will be passed to pfil again depending on the setting of the net.ip6.ipsec6.filtertunnel sysctl. PR: kern/157670 Submitted by: Manuel Kasper (mk neon1.net) MFC after: 2 weeks
2011-06-08 10:59:36 +00:00 · 2011-06-08 10:59:36 +00:00 · 1aaf930d63
commit 1aaf930d63
parent c828da79d9
1 changed files with 7 additions and 0 deletions
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@ -504,6 +504,13 @@ ip6_input(struct mbuf *m)
 		goto bad;
 	}
 #endif
+#ifdef IPSEC
+	/*
+	 * Bypass packet filtering for packets previously handled by IPsec.
+	 */
+	if (ip6_ipsec_filtertunnel(m))
+		goto passin;
+#endif /* IPSEC */

 	/*
 	 * Run through list of hooks for input packets.