summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatt Smith <mgsmith@netgate.com>2015-11-18 10:30:59 -0600
committerMatt Smith <mgsmith@netgate.com>2015-11-18 10:30:59 -0600
commitd82b01bdc293b2d3ff73a71603ab60382b2ba5b6 (patch)
tree4e0f632fe3c9950dda6c9cc307e412a345e4d7c7
parent989100c84c074ba652519ad2e4f6c141b6db0556 (diff)
downloadFreeBSD-src-d82b01bdc293b2d3ff73a71603ab60382b2ba5b6.zip
FreeBSD-src-d82b01bdc293b2d3ff73a71603ab60382b2ba5b6.tar.gz
Importing pfSense patch ipsec_transport_filterfix.diff
Diffstat
-rw-r--r--sys/netipsec/ipsec_input.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c
index 15d5bae..72884ad 100644
--- a/sys/netipsec/ipsec_input.c
+++ b/sys/netipsec/ipsec_input.c
@@ -472,11 +472,11 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
* Pass the mbuf to enc0 for bpf and pfil. We will filter the IPIP
* packet later after it has been decapsulated.
*/
- ipsec_bpf(m, sav, AF_INET, ENC_IN|ENC_BEFORE);
+ ipsec_bpf(m, sav, AF_INET, saidx->mode == IPSEC_MODE_TRANSPORT ? ENC_IN|ENC_AFTER : ENC_IN|ENC_BEFORE);
if (prot != IPPROTO_IPIP)
if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN,
- ENC_IN|ENC_BEFORE)) != 0)
+ saidx->mode == IPSEC_MODE_TRANSPORT ? ENC_IN|ENC_AFTER : ENC_IN|ENC_BEFORE)) != 0)
return (error);
#endif
@@ -727,12 +727,12 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
* Pass the mbuf to enc0 for bpf and pfil. We will filter the IPIP
* packet later after it has been decapsulated.
*/
- ipsec_bpf(m, sav, AF_INET6, ENC_IN|ENC_BEFORE);
+ ipsec_bpf(m, sav, AF_INET6, saidx->mode == IPSEC_MODE_TRANSPORT ? ENC_IN|ENC_AFTER : ENC_IN|ENC_BEFORE);
/* XXX-BZ does not make sense. */
if (prot != IPPROTO_IPIP)
if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN,
- ENC_IN|ENC_BEFORE)) != 0)
+ saidx->mode == IPSEC_MODE_TRANSPORT ? ENC_IN|ENC_AFTER : ENC_IN|ENC_BEFORE)) != 0)
return (error);
#endif
OpenPOWER on IntegriCloud