If there are any IPSEC security policies skip the tryforward step.

TAG: tryforward Obtained from: https://github.com/gvnn3/freebsd/commit/a2e67b29464bbf822f3da313ae2de817c4faa401
author: Luiz Otavio O Souza <luiz@netgate.com> 2015-10-26 13:11:43 -0500
committer: Luiz Otavio O Souza <luiz@netgate.com> 2015-10-26 13:11:43 -0500
commit: de3b422781821f809b436ced1af4fc3dd4dc0c1a (patch)
tree: 606c8e705f89a3d836c816240ad381fbe4ff93a0 /sys/netinet/ip_input.c
parent: c58873dc9abc56028cc3435f692fd3583bd143af (diff)
download: FreeBSD-src-de3b422781821f809b436ced1af4fc3dd4dc0c1a.zip
FreeBSD-src-de3b422781821f809b436ced1af4fc3dd4dc0c1a.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 5009346..6b19eb3 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -77,6 +77,8 @@ __FBSDID("$FreeBSD$");
 #include <netinet/ip_carp.h>
 #ifdef IPSEC
 #include <netinet/ip_ipsec.h>
+#include <netipsec/ipsec.h>
+#include <netipsec/key.h>
 #endif /* IPSEC */
 
 #include <sys/socketvar.h>
@@ -715,8 +717,15 @@ ours:
 	}
 
 	/* Try to forward the packet, but if we fail continue */
+#ifdef IPSEC
+	/* For now we do not handle IPSEC in tryforward. */
+	if (!key_havesp(IPSEC_DIR_INBOUND) && !key_havesp(IPSEC_DIR_OUTBOUND))
+		if (ip_tryforward(m) == NULL)
+			return;
+#else
 	if (ip_tryforward(m) == NULL)
 		return;
+#endif /* IPSEC */
 
 #ifdef IPSEC
 	/*
author	Luiz Otavio O Souza <luiz@netgate.com>	2015-10-26 13:11:43 -0500
committer	Luiz Otavio O Souza <luiz@netgate.com>	2015-10-26 13:11:43 -0500
commit	de3b422781821f809b436ced1af4fc3dd4dc0c1a (patch)
tree	606c8e705f89a3d836c816240ad381fbe4ff93a0 /sys/netinet/ip_input.c
parent	c58873dc9abc56028cc3435f692fd3583bd143af (diff)
download	FreeBSD-src-de3b422781821f809b436ced1af4fc3dd4dc0c1a.zip FreeBSD-src-de3b422781821f809b436ced1af4fc3dd4dc0c1a.tar.gz