summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRenato Botelho <renato@netgate.com>2015-08-17 13:53:33 -0300
committerRenato Botelho <renato@netgate.com>2015-08-17 13:53:33 -0300
commit924a927559577e9cea5abf4a725e679acad834bf (patch)
treea6c4f5236fd15ea20bf708642f7f3c341e6b6757
parent2fb6d009cccdaf8b780594600da81d5910168a3e (diff)
downloadFreeBSD-src-924a927559577e9cea5abf4a725e679acad834bf.zip
FreeBSD-src-924a927559577e9cea5abf4a725e679acad834bf.tar.gz
Importing pfSense patch ipsec_transport_filterfix.diff
Diffstat
-rw-r--r--sys/netipsec/ipsec_input.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c
index c906d91..405806f 100644
--- a/sys/netipsec/ipsec_input.c
+++ b/sys/netipsec/ipsec_input.c
@@ -353,9 +353,9 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
encif->if_ibytes += m->m_pkthdr.len;
/* Pass the mbuf to enc0 for bpf and pfil. */
- ipsec_bpf(m, sav, AF_INET, ENC_IN|ENC_BEFORE);
+ ipsec_bpf(m, sav, AF_INET, saidx->mode == IPSEC_MODE_TRANSPORT ? ENC_IN|ENC_AFTER : ENC_IN|ENC_BEFORE);
if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN,
- ENC_IN|ENC_BEFORE)) != 0)
+ saidx->mode == IPSEC_MODE_TRANSPORT ? ENC_IN|ENC_AFTER : ENC_IN|ENC_BEFORE)) != 0)
return (error);
#endif /* DEV_ENC */
@@ -657,9 +657,9 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
encif->if_ibytes += m->m_pkthdr.len;
/* Pass the mbuf to enc0 for bpf and pfil. */
- ipsec_bpf(m, sav, AF_INET6, ENC_IN|ENC_BEFORE);
+ ipsec_bpf(m, sav, AF_INET6, saidx->mode == IPSEC_MODE_TRANSPORT ? ENC_IN|ENC_AFTER : ENC_IN|ENC_BEFORE);
if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN,
- ENC_IN|ENC_BEFORE)) != 0)
+ saidx->mode == IPSEC_MODE_TRANSPORT ? ENC_IN|ENC_AFTER : ENC_IN|ENC_BEFORE)) != 0)
return (error);
#endif /* DEV_ENC */
OpenPOWER on IntegriCloud