d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Pass mbuf to pfil processing before stripping outer IP header as it

Browse Source 
is described in if_enc(4).

MFC after:	2 week
Sponsored by:	Yandex LLC
This commit is contained in:
Andrey V. Elsukov 2014-11-07 12:05:20 +00:00
parent 20dc9e1740
commit b6e1ad3a3a
1 changed files with 6 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
sys/netipsec/ipsec_input.c
View File

@ -379,15 +379,10 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
if_inc_counter(encif, IFCOUNTER_IPACKETS, 1);
if_inc_counter(encif, IFCOUNTER_IBYTES, m->m_pkthdr.len);
/*
* Pass the mbuf to enc0 for bpf and pfil. We will filter the IPIP
* packet later after it has been decapsulated.
*/
/* Pass the mbuf to enc0 for bpf and pfil. */
ipsec_bpf(m, sav, AF_INET, ENC_IN|ENC_BEFORE);
if (prot != IPPROTO_IPIP)
if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0)
return (error);
if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0)
return (error);
#endif /* DEV_ENC */
/* IP-in-IP encapsulation */
@ -683,16 +678,10 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
if_inc_counter(encif, IFCOUNTER_IPACKETS, 1);
if_inc_counter(encif, IFCOUNTER_IBYTES, m->m_pkthdr.len);
/*
* Pass the mbuf to enc0 for bpf and pfil. We will filter the IPIP
* packet later after it has been decapsulated.
*/
/* Pass the mbuf to enc0 for bpf and pfil. */
ipsec_bpf(m, sav, AF_INET6, ENC_IN|ENC_BEFORE);
/* XXX-BZ does not make sense. */
if (prot != IPPROTO_IPIP)
if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0)
return (error);
if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0)
return (error);
#endif /* DEV_ENC */
#ifdef INET