Add a new config option IPSEC_FILTERGIF to control whether or not

packets coming out of a GIF tunnel are re-processed by ipfw, et. al. By default they are not reprocessed. With the option they are. This reverts 1.214. Prior to that change packets were not re-processed. After they were which caused problems because packets do not have distinguishing characteristics (like a special network if) that allows them to be filtered specially. This is really a stopgap measure designed for immediate MFC so that 4.8 has consistent handling to what was in 4.7. PR: 48159 Reviewed by: Guido van Rooij <guido@gvr.org> MFC after: 1 day
author: sam <sam@FreeBSD.org> 2003-02-23 00:47:06 +0000
committer: sam <sam@FreeBSD.org> 2003-02-23 00:47:06 +0000
commit: 87582b9c57b44ade7cb2f19751545fb813262b93 (patch)
tree: 824e8df7239aadec937312f500ce5b1b196ed895 /sys/netinet/ip_input.c
parent: e34fd150f8cb9c6bcadb708854383f53b1092d05 (diff)
download: FreeBSD-src-87582b9c57b44ade7cb2f19751545fb813262b93.zip
FreeBSD-src-87582b9c57b44ade7cb2f19751545fb813262b93.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 04aa1c3..7e1ed1f 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -427,6 +427,13 @@ tooshort:
 		} else
 			m_adj(m, ip->ip_len - m->m_pkthdr.len);
 	}
+#if defined(IPSEC) && !defined(IPSEC_FILTERGIF)
+	/*
+	 * Bypass packet filtering for packets from a tunnel (gif).
+	 */
+	if (ipsec_gethist(m, NULL))
+		goto pass;
+#endif
 
 	/*
 	 * IpHack's section.
author	sam <sam@FreeBSD.org>	2003-02-23 00:47:06 +0000
committer	sam <sam@FreeBSD.org>	2003-02-23 00:47:06 +0000
commit	87582b9c57b44ade7cb2f19751545fb813262b93 (patch)
tree	824e8df7239aadec937312f500ce5b1b196ed895 /sys/netinet/ip_input.c
parent	e34fd150f8cb9c6bcadb708854383f53b1092d05 (diff)
download	FreeBSD-src-87582b9c57b44ade7cb2f19751545fb813262b93.zip FreeBSD-src-87582b9c57b44ade7cb2f19751545fb813262b93.tar.gz