- call ip6_output() instead of nd6_output() when ipsec tunnel

  mode is applied, since tunneled packets are considered to be
  generated packets from a tunnel encapsulating node.
- tunnel mode may not be applied if SA mode is ANY and policy
  does not say "tunnel it".  check if we have extra IPv6 header
  on the packet after ipsec6_output_tunnel() and call ip6_output()
  only if additional IPv6 header is added.
- free the copyed packet before returning.

Obtained from:	KAME

1 files changed, 21 insertions, 3 deletions

diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c
index 508e665..689404b 100644
--- a/sys/netinet6/ip6_forward.c
+++ b/sys/netinet6/ip6_forward.c
@@ -267,11 +267,20 @@ ip6_forward(m, srcrt)
 	 *      ipsec esp/tunnel/xxx-xxx/require esp/transport//require;
 	 */
 	for (isr = sp->req; isr; isr = isr->next) {
-		if (isr->saidx.mode == IPSEC_MODE_TRANSPORT)
-			goto skip_ipsec;
+		if (isr->saidx.mode == IPSEC_MODE_ANY)
+			goto doipsectunnel;
+		if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
+			goto doipsectunnel;
 	}
 
 	/*
+	 * if there's no need for tunnel mode IPsec, skip.
+	 */
+	if (!isr)
+		goto skip_ipsec;
+
+    doipsectunnel:
+	/*
 	 * All the extension headers will become inaccessible
 	 * (since they can be encrypted).
 	 * Don't panic, we need no more updates to extension headers
@@ -317,8 +326,17 @@ ip6_forward(m, srcrt)
 		return;
 	}
 
+	if (ip6 != mtod(m, struct ip6_hdr *)) {
+		/*
+		 * now tunnel mode headers are added.  we are originating
+		 * packet instead of forwarding the packet.
+		 */
+		ip6_output(m, NULL, NULL, IPV6_FORWARDING/*XXX*/, NULL, NULL,
+		    NULL);
+		goto freecopy;
+	}
+
 	/* adjust pointer */
-	ip6 = mtod(m, struct ip6_hdr *);
 	dst = (struct sockaddr_in6 *)state.dst;
 	rt = state.ro ? state.ro->ro_rt : NULL;
 	if (dst != NULL && rt != NULL)