svn commit: r222856 - head/sys/netinet6

[Bjoern A. Zeeb]

Author: bz
Date: Wed Jun  8 10:59:36 2011
New Revision: 222856
URL: http://svn.freebsd.org/changeset/base/222856

Log:
  Add the missing call to ip6_ipsec_filtertunnel() to be able to control
  whether decapsulated IPsec packets will be passed to pfil again depending
  on the setting of the net.ip6.ipsec6.filtertunnel sysctl.
  
  PR:           kern/157670
  Submitted by: Manuel Kasper (mk neon1.net)
  MFC after:    2 weeks

Modified:
  head/sys/netinet6/ip6_input.c

Modified: head/sys/netinet6/ip6_input.c
==============================================================================
--- head/sys/netinet6/ip6_input.c       Wed Jun  8 08:22:54 2011        
(r222855)
+++ head/sys/netinet6/ip6_input.c       Wed Jun  8 10:59:36 2011        
(r222856)
@@ -504,6 +504,13 @@ ip6_input(struct mbuf *m)
                goto bad;
        }
 #endif
+#ifdef IPSEC
+       /*
+        * Bypass packet filtering for packets previously handled by IPsec.
+        */
+       if (ip6_ipsec_filtertunnel(m))
+               goto passin;
+#endif /* IPSEC */
 
        /*
         * Run through list of hooks for input packets.
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"