diff options
| author | ume <ume@FreeBSD.org> | 2003-10-29 15:07:04 +0000 |
|---|---|---|
| committer | ume <ume@FreeBSD.org> | 2003-10-29 15:07:04 +0000 |
| commit | b9fecc82d3e55cefb5fd427307272fed377b780a (patch) | |
| tree | ff2af6160ee3c3b0bf6e218dc2107ae003e82cde /sys/netinet6/esp_input.c | |
| parent | f965698ed4683de29221f38b96189223a4cf0b2e (diff) | |
| download | FreeBSD-src-b9fecc82d3e55cefb5fd427307272fed377b780a.zip FreeBSD-src-b9fecc82d3e55cefb5fd427307272fed377b780a.tar.gz | |
add ECN support in layer-3.
- implement the tunnel egress rule in ip_ecn_egress() in ip_ecn.c.
make ip{,6}_ecn_egress() return integer to tell the caller that
this packet should be dropped.
- handle ECN at fragment reassembly in ip_input.c and frag6.c.
Obtained from: KAME
Diffstat (limited to 'sys/netinet6/esp_input.c')
| -rw-r--r-- | sys/netinet6/esp_input.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/sys/netinet6/esp_input.c b/sys/netinet6/esp_input.c index f2d802c..f25d0f3 100644 --- a/sys/netinet6/esp_input.c +++ b/sys/netinet6/esp_input.c @@ -371,7 +371,10 @@ noreplaycheck: } ip = mtod(m, struct ip *); /* ECN consideration. */ - ip_ecn_egress(ip4_ipsec_ecn, &tos, &ip->ip_tos); + if (!ip_ecn_egress(ip4_ipsec_ecn, &tos, &ip->ip_tos)) { + ipsecstat.in_inval++; + goto bad; + } if (!key_checktunnelsanity(sav, AF_INET, (caddr_t)&ip->ip_src, (caddr_t)&ip->ip_dst)) { ipseclog((LOG_ERR, "ipsec tunnel address mismatch " @@ -723,7 +726,10 @@ noreplaycheck: } ip6 = mtod(m, struct ip6_hdr *); /* ECN consideration. */ - ip6_ecn_egress(ip6_ipsec_ecn, &flowinfo, &ip6->ip6_flow); + if (!ip6_ecn_egress(ip6_ipsec_ecn, &flowinfo, &ip6->ip6_flow)) { + ipsec6stat.in_inval++; + goto bad; + } if (!key_checktunnelsanity(sav, AF_INET6, (caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst)) { ipseclog((LOG_ERR, "ipsec tunnel address mismatch " |
