From 76c09c025383a07b70a19a5da1c07bd97c727209 Mon Sep 17 00:00:00 2001 From: guido Date: Wed, 16 Oct 2002 09:01:48 +0000 Subject: [PATCH] Get rid of checking for ip sec history. It is true that packets are not supposed to be checked by the firewall rules twice. However, because the various ipsec handlers never call ip_input(), this never happens anyway. This fixes the situation where a gif tunnel is encrypted with IPsec. In such a case, after IPsec processing, the unencrypted contents from the GIF tunnel are fed back to the ipintrq and subsequently handeld by ip_input(). Yet, since there still is IPSec history attached, the packets coming out from the gif device are never fed into the filtering code. This fix was sent to Itojun, and he pointed towartds http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction. This patch actually implements what is stated there (specifically: Packet came from tunnel devices (gif(4) and ipip(4)) will still go through ipf(4). You may need to identify these packets by using interface name directive in ipf.conf(5). Reviewed by: rwatson MFC after: 3 weeks --- sys/netinet/ip_input.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index f22d5500cbd3..3c4a5ae87044 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -421,11 +421,6 @@ ip_input(struct mbuf *m) m_adj(m, ip->ip_len - m->m_pkthdr.len); } -#ifdef IPSEC - if (ipsec_gethist(m, NULL)) - goto pass; -#endif - /* * IpHack's section. * Right now when no processing on packet has done