Add the missing call to ip6_ipsec_filtertunnel() to be able to control

whether decapsulated IPsec packets will be passed to pfil again depending on the setting of the net.ip6.ipsec6.filtertunnel sysctl. PR: kern/157670 Submitted by: Manuel Kasper (mk neon1.net) MFC after: 2 weeks
author: bz <bz@FreeBSD.org> 2011-06-08 10:59:36 +0000
committer: bz <bz@FreeBSD.org> 2011-06-08 10:59:36 +0000
commit: 1aaf930d637f7d137cd8057e7391f65e77a20d22 (patch)
tree: 49cf016c2aeae81ac18e4f35e9ec354dacf50471 /sys/netinet6/ip6_input.c
parent: c828da79d9617611cbdaf46f6c4aa2990560d6f9 (diff)
download: FreeBSD-src-1aaf930d637f7d137cd8057e7391f65e77a20d22.zip
FreeBSD-src-1aaf930d637f7d137cd8057e7391f65e77a20d22.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index 052b8f6..de3a622 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -504,6 +504,13 @@ ip6_input(struct mbuf *m)
 		goto bad;
 	}
 #endif
+#ifdef IPSEC
+	/*
+	 * Bypass packet filtering for packets previously handled by IPsec.
+	 */
+	if (ip6_ipsec_filtertunnel(m))
+		goto passin;
+#endif /* IPSEC */
 
 	/*
 	 * Run through list of hooks for input packets.
author	bz <bz@FreeBSD.org>	2011-06-08 10:59:36 +0000
committer	bz <bz@FreeBSD.org>	2011-06-08 10:59:36 +0000
commit	1aaf930d637f7d137cd8057e7391f65e77a20d22 (patch)
tree	49cf016c2aeae81ac18e4f35e9ec354dacf50471 /sys/netinet6/ip6_input.c
parent	c828da79d9617611cbdaf46f6c4aa2990560d6f9 (diff)
download	FreeBSD-src-1aaf930d637f7d137cd8057e7391f65e77a20d22.zip FreeBSD-src-1aaf930d637f7d137cd8057e7391f65e77a20d22.tar.gz