diff options
author | bz <bz@FreeBSD.org> | 2011-06-08 10:59:36 +0000 |
---|---|---|
committer | bz <bz@FreeBSD.org> | 2011-06-08 10:59:36 +0000 |
commit | 1aaf930d637f7d137cd8057e7391f65e77a20d22 (patch) | |
tree | 49cf016c2aeae81ac18e4f35e9ec354dacf50471 /sys/netinet6 | |
parent | c828da79d9617611cbdaf46f6c4aa2990560d6f9 (diff) | |
download | FreeBSD-src-1aaf930d637f7d137cd8057e7391f65e77a20d22.zip FreeBSD-src-1aaf930d637f7d137cd8057e7391f65e77a20d22.tar.gz |
Add the missing call to ip6_ipsec_filtertunnel() to be able to control
whether decapsulated IPsec packets will be passed to pfil again depending
on the setting of the net.ip6.ipsec6.filtertunnel sysctl.
PR: kern/157670
Submitted by: Manuel Kasper (mk neon1.net)
MFC after: 2 weeks
Diffstat (limited to 'sys/netinet6')
-rw-r--r-- | sys/netinet6/ip6_input.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index 052b8f6..de3a622 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -504,6 +504,13 @@ ip6_input(struct mbuf *m) goto bad; } #endif +#ifdef IPSEC + /* + * Bypass packet filtering for packets previously handled by IPsec. + */ + if (ip6_ipsec_filtertunnel(m)) + goto passin; +#endif /* IPSEC */ /* * Run through list of hooks for input packets. |