Importing pfSense patch IPSEC_sysctl.RELENG_10.diff

4 files changed, 27 insertions, 16 deletions

diff --git a/sys/netinet/in.h b/sys/netinet/in.h
index fa4cebe..5ec7ed7 100644
--- a/sys/netinet/in.h
+++ b/sys/netinet/in.h
@@ -702,7 +702,8 @@ int	getsourcefilter(int, uint32_t, struct sockaddr *, socklen_t,
 #define	IPCTL_FASTFORWARDING	14	/* use fast IP forwarding code */
 #define	IPCTL_KEEPFAITH		15	/* FAITH IPv4->IPv6 translater ctl */
 #define	IPCTL_GIF_TTL		16	/* default TTL for gif encap packet */
-#define	IPCTL_MAXID		17
+#define	IPCTL_IPSEC_INUSE	17
+#define	IPCTL_MAXID		18
 
 #endif /* __BSD_VISIBLE */
 
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 77e6a48..81974fd 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -97,6 +97,11 @@ SYSCTL_VNET_INT(_net_inet_ip, IPCTL_FORWARDING, forwarding, CTLFLAG_RW,
     &VNET_NAME(ipforwarding), 0,
     "Enable IP forwarding between interfaces");
 
+VNET_DEFINE(int, ipipsec_in_use);
+SYSCTL_VNET_INT(_net_inet_ip, IPCTL_IPSEC_INUSE, ipsec_in_use, CTLFLAG_RW,
+    &VNET_NAME(ipipsec_in_use), 0,
+    "Enable IPSec processing of packets");
+
 static VNET_DEFINE(int, ipsendredirects) = 1;	/* XXX */
 #define	V_ipsendredirects	VNET(ipsendredirects)
 SYSCTL_VNET_INT(_net_inet_ip, IPCTL_SENDREDIRECTS, redirect, CTLFLAG_RW,
@@ -471,7 +476,7 @@ tooshort:
 	/*
 	 * Bypass packet filtering for packets previously handled by IPsec.
 	 */
-	if (ip_ipsec_filtertunnel(m))
+	if (V_ipipsec_in_use && ip_ipsec_filtertunnel(m))
 		goto passin;
 #endif /* IPSEC */
 
@@ -678,7 +683,7 @@ passin:
 		m_freem(m);
 	} else {
 #ifdef IPSEC
-		if (ip_ipsec_fwd(m))
+		if (V_ipipsec_in_use && ip_ipsec_fwd(m))
 			goto bad;
 #endif /* IPSEC */
 		ip_forward(m, dchg);
@@ -725,7 +730,7 @@ ours:
 	 * note that we do not visit this with protocols with pcb layer
 	 * code - like udp/tcp/raw ip.
 	 */
-	if (ip_ipsec_input(m))
+	if (V_ipipsec_in_use && ip_ipsec_input(m))
 		goto bad;
 #endif /* IPSEC */
 
@@ -1524,7 +1529,8 @@ ip_forward(struct mbuf *m, int srcrt)
 		 * If IPsec is configured for this path,
 		 * override any possibly mtu value set by ip_output.
 		 */ 
-		mtu = ip_ipsec_mtu(mcopy, mtu);
+		if (V_ipipsec_in_use)
+			mtu = ip_ipsec_mtu(mcopy, mtu);
 #endif /* IPSEC */
 		/*
 		 * If the MTU was set before make sure we are below the
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 2db4578..aee6834 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -482,18 +482,20 @@ again:
 
 sendit:
 #ifdef IPSEC
-	switch(ip_ipsec_output(&m, inp, &flags, &error)) {
-	case 1:
-		goto bad;
-	case -1:
-		goto done;
-	case 0:
-	default:
-		break;	/* Continue with packet processing. */
+	if (V_ipipsec_in_use) {
+		switch(ip_ipsec_output(&m, inp, &flags, &error)) {
+		case 1:
+			goto bad;
+		case -1:
+			goto done;
+		case 0:
+		default:
+			break;	/* Continue with packet processing. */
+		}
+		/* Update variables that are affected by ipsec4_output(). */
+		ip = mtod(m, struct ip *);
+		hlen = ip->ip_hl << 2;
 	}
-	/* Update variables that are affected by ipsec4_output(). */
-	ip = mtod(m, struct ip *);
-	hlen = ip->ip_hl << 2;
 #endif /* IPSEC */
 
 	/* Jump over all PFIL processing if hooks are not active. */
diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h
index b2251ac..de08849 100644
--- a/sys/netinet/ip_var.h
+++ b/sys/netinet/ip_var.h
@@ -176,6 +176,7 @@ struct sockopt;
 VNET_DECLARE(u_short, ip_id);			/* ip packet ctr, for ids */
 VNET_DECLARE(int, ip_defttl);			/* default IP ttl */
 VNET_DECLARE(int, ipforwarding);		/* ip forwarding */
+VNET_DECLARE(int, ipipsec_in_use);
 #ifdef IPSTEALTH
 VNET_DECLARE(int, ipstealth);			/* stealth forwarding */
 #endif
@@ -191,6 +192,7 @@ extern struct	pr_usrreqs rip_usrreqs;
 #define	V_ip_id			VNET(ip_id)
 #define	V_ip_defttl		VNET(ip_defttl)
 #define	V_ipforwarding		VNET(ipforwarding)
+#define	V_ipipsec_in_use	VNET(ipipsec_in_use)
 #ifdef IPSTEALTH
 #define	V_ipstealth		VNET(ipstealth)
 #endif