diff options
author | Luiz Otavio O Souza <luiz@netgate.com> | 2015-10-26 13:11:43 -0500 |
---|---|---|
committer | Luiz Otavio O Souza <luiz@netgate.com> | 2015-10-26 13:11:43 -0500 |
commit | de3b422781821f809b436ced1af4fc3dd4dc0c1a (patch) | |
tree | 606c8e705f89a3d836c816240ad381fbe4ff93a0 /sys/netinet/ip_input.c | |
parent | c58873dc9abc56028cc3435f692fd3583bd143af (diff) | |
download | FreeBSD-src-de3b422781821f809b436ced1af4fc3dd4dc0c1a.zip FreeBSD-src-de3b422781821f809b436ced1af4fc3dd4dc0c1a.tar.gz |
If there are any IPSEC security policies skip the tryforward step.
TAG: tryforward
Obtained from: https://github.com/gvnn3/freebsd/commit/a2e67b29464bbf822f3da313ae2de817c4faa401
Diffstat (limited to 'sys/netinet/ip_input.c')
-rw-r--r-- | sys/netinet/ip_input.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 5009346..6b19eb3 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -77,6 +77,8 @@ __FBSDID("$FreeBSD$"); #include <netinet/ip_carp.h> #ifdef IPSEC #include <netinet/ip_ipsec.h> +#include <netipsec/ipsec.h> +#include <netipsec/key.h> #endif /* IPSEC */ #include <sys/socketvar.h> @@ -715,8 +717,15 @@ ours: } /* Try to forward the packet, but if we fail continue */ +#ifdef IPSEC + /* For now we do not handle IPSEC in tryforward. */ + if (!key_havesp(IPSEC_DIR_INBOUND) && !key_havesp(IPSEC_DIR_OUTBOUND)) + if (ip_tryforward(m) == NULL) + return; +#else if (ip_tryforward(m) == NULL) return; +#endif /* IPSEC */ #ifdef IPSEC /* |