Add sysctls to toggle the behaviour of the (former) IPSEC_FILTERTUNNEL

kernel option.
This also permits tuning of the option per virtual network stack, as
well as separately per inet, inet6.

The kernel option is left for a transition period, marked deprecated,
and will be removed soon.

Initially requested by:	phk (1 year 1 day ago)
MFC after:		4 weeks

1 files changed, 9 insertions, 2 deletions

diff --git a/sys/netinet6/ip6_ipsec.c b/sys/netinet6/ip6_ipsec.c
index a0c1abc..57a5044 100644
--- a/sys/netinet6/ip6_ipsec.c
+++ b/sys/netinet6/ip6_ipsec.c
@@ -76,6 +76,10 @@ __FBSDID("$FreeBSD$");
 
 extern	struct protosw inet6sw[];
 
+#ifdef VIMAGE_GLOBALS
+int ip6_ipsec6_filtertunnel;
+#endif
+
 /*
  * Check if we have to jump over firewall processing for this packet.
  * Called from ip_input().
@@ -84,11 +88,14 @@ extern	struct protosw inet6sw[];
 int
 ip6_ipsec_filtertunnel(struct mbuf *m)
 {
-#if defined(IPSEC) && !defined(IPSEC_FILTERTUNNEL)
+#if defined(IPSEC)
+	INIT_VNET_IPSEC(curvnet);
+
 	/*
 	 * Bypass packet filtering for packets from a tunnel.
 	 */
-	if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
+	if (!V_ip6_ipsec6_filtertunnel &&
+	    m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
 		return 1;
 #endif
 	return 0;