diff options
author | gnn <gnn@FreeBSD.org> | 2016-02-04 22:53:12 +0000 |
---|---|---|
committer | gnn <gnn@FreeBSD.org> | 2016-02-04 22:53:12 +0000 |
commit | cd6535554e503550ca26a3ad8290147c8655013d (patch) | |
tree | 003068d5195e948340db1290faf264aafe30ed88 /sys/netinet/ip_input.c | |
parent | 5c35f05097207e5b70f18aa41aa368f51f037303 (diff) | |
download | FreeBSD-src-cd6535554e503550ca26a3ad8290147c8655013d.zip FreeBSD-src-cd6535554e503550ca26a3ad8290147c8655013d.tar.gz |
MFC: r290383,295282,295283
Replace the fastforward path with tryforward which does not require a
sysctl and will always be on. The former split between default and
fast forwarding is removed by this commit while preserving the ability
to use all network stack features.
Differential Revision: https://reviews.freebsd.org/D4042
Reviewed by: ae, melifaro, olivier, rwatson
Approved by: re (glebius)
Sponsored by: Rubicon Communications (Netgate)
Diffstat (limited to 'sys/netinet/ip_input.c')
-rw-r--r-- | sys/netinet/ip_input.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 2dc080f..0b29d49 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -77,6 +77,8 @@ __FBSDID("$FreeBSD$"); #include <netinet/ip_carp.h> #ifdef IPSEC #include <netinet/ip_ipsec.h> +#include <netipsec/ipsec.h> +#include <netipsec/key.h> #endif /* IPSEC */ #include <sys/socketvar.h> @@ -464,12 +466,22 @@ tooshort: } else m_adj(m, ip_len - m->m_pkthdr.len); } + /* Try to forward the packet, but if we fail continue */ #ifdef IPSEC + /* For now we do not handle IPSEC in tryforward. */ + if (!key_havesp(IPSEC_DIR_INBOUND) && !key_havesp(IPSEC_DIR_OUTBOUND) && + (V_ipforwarding == 1)) + if (ip_tryforward(m) == NULL) + return; /* * Bypass packet filtering for packets previously handled by IPsec. */ if (ip_ipsec_filtertunnel(m)) goto passin; +#else + if (V_ipforwarding == 1) + if (ip_tryforward(m) == NULL) + return; #endif /* IPSEC */ /* |