diff options
author | Renato Botelho <renato@netgate.com> | 2015-08-17 13:53:05 -0300 |
---|---|---|
committer | Renato Botelho <renato@netgate.com> | 2015-08-17 13:53:05 -0300 |
commit | 1a5bcc816de96758225aa0a4d2b5ddc7b88b6b58 (patch) | |
tree | f3719f5fc32497bee1670f4d905a743252da0714 /sys/netinet | |
parent | cd974c33ee2686b51a072a0938c0e5dc45729e00 (diff) | |
download | FreeBSD-src-1a5bcc816de96758225aa0a4d2b5ddc7b88b6b58.zip FreeBSD-src-1a5bcc816de96758225aa0a4d2b5ddc7b88b6b58.tar.gz |
Importing pfSense patch IPSEC_sysctl.RELENG_10.diff
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/in.h | 3 | ||||
-rw-r--r-- | sys/netinet/ip_input.c | 14 | ||||
-rw-r--r-- | sys/netinet/ip_output.c | 24 | ||||
-rw-r--r-- | sys/netinet/ip_var.h | 2 |
4 files changed, 27 insertions, 16 deletions
diff --git a/sys/netinet/in.h b/sys/netinet/in.h index fa4cebe..5ec7ed7 100644 --- a/sys/netinet/in.h +++ b/sys/netinet/in.h @@ -702,7 +702,8 @@ int getsourcefilter(int, uint32_t, struct sockaddr *, socklen_t, #define IPCTL_FASTFORWARDING 14 /* use fast IP forwarding code */ #define IPCTL_KEEPFAITH 15 /* FAITH IPv4->IPv6 translater ctl */ #define IPCTL_GIF_TTL 16 /* default TTL for gif encap packet */ -#define IPCTL_MAXID 17 +#define IPCTL_IPSEC_INUSE 17 +#define IPCTL_MAXID 18 #endif /* __BSD_VISIBLE */ diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 77e6a48..81974fd 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -97,6 +97,11 @@ SYSCTL_VNET_INT(_net_inet_ip, IPCTL_FORWARDING, forwarding, CTLFLAG_RW, &VNET_NAME(ipforwarding), 0, "Enable IP forwarding between interfaces"); +VNET_DEFINE(int, ipipsec_in_use); +SYSCTL_VNET_INT(_net_inet_ip, IPCTL_IPSEC_INUSE, ipsec_in_use, CTLFLAG_RW, + &VNET_NAME(ipipsec_in_use), 0, + "Enable IPSec processing of packets"); + static VNET_DEFINE(int, ipsendredirects) = 1; /* XXX */ #define V_ipsendredirects VNET(ipsendredirects) SYSCTL_VNET_INT(_net_inet_ip, IPCTL_SENDREDIRECTS, redirect, CTLFLAG_RW, @@ -471,7 +476,7 @@ tooshort: /* * Bypass packet filtering for packets previously handled by IPsec. */ - if (ip_ipsec_filtertunnel(m)) + if (V_ipipsec_in_use && ip_ipsec_filtertunnel(m)) goto passin; #endif /* IPSEC */ @@ -678,7 +683,7 @@ passin: m_freem(m); } else { #ifdef IPSEC - if (ip_ipsec_fwd(m)) + if (V_ipipsec_in_use && ip_ipsec_fwd(m)) goto bad; #endif /* IPSEC */ ip_forward(m, dchg); @@ -725,7 +730,7 @@ ours: * note that we do not visit this with protocols with pcb layer * code - like udp/tcp/raw ip. */ - if (ip_ipsec_input(m)) + if (V_ipipsec_in_use && ip_ipsec_input(m)) goto bad; #endif /* IPSEC */ @@ -1524,7 +1529,8 @@ ip_forward(struct mbuf *m, int srcrt) * If IPsec is configured for this path, * override any possibly mtu value set by ip_output. */ - mtu = ip_ipsec_mtu(mcopy, mtu); + if (V_ipipsec_in_use) + mtu = ip_ipsec_mtu(mcopy, mtu); #endif /* IPSEC */ /* * If the MTU was set before make sure we are below the diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 2db4578..aee6834 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -482,18 +482,20 @@ again: sendit: #ifdef IPSEC - switch(ip_ipsec_output(&m, inp, &flags, &error)) { - case 1: - goto bad; - case -1: - goto done; - case 0: - default: - break; /* Continue with packet processing. */ + if (V_ipipsec_in_use) { + switch(ip_ipsec_output(&m, inp, &flags, &error)) { + case 1: + goto bad; + case -1: + goto done; + case 0: + default: + break; /* Continue with packet processing. */ + } + /* Update variables that are affected by ipsec4_output(). */ + ip = mtod(m, struct ip *); + hlen = ip->ip_hl << 2; } - /* Update variables that are affected by ipsec4_output(). */ - ip = mtod(m, struct ip *); - hlen = ip->ip_hl << 2; #endif /* IPSEC */ /* Jump over all PFIL processing if hooks are not active. */ diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h index b2251ac..de08849 100644 --- a/sys/netinet/ip_var.h +++ b/sys/netinet/ip_var.h @@ -176,6 +176,7 @@ struct sockopt; VNET_DECLARE(u_short, ip_id); /* ip packet ctr, for ids */ VNET_DECLARE(int, ip_defttl); /* default IP ttl */ VNET_DECLARE(int, ipforwarding); /* ip forwarding */ +VNET_DECLARE(int, ipipsec_in_use); #ifdef IPSTEALTH VNET_DECLARE(int, ipstealth); /* stealth forwarding */ #endif @@ -191,6 +192,7 @@ extern struct pr_usrreqs rip_usrreqs; #define V_ip_id VNET(ip_id) #define V_ip_defttl VNET(ip_defttl) #define V_ipforwarding VNET(ipforwarding) +#define V_ipipsec_in_use VNET(ipipsec_in_use) #ifdef IPSTEALTH #define V_ipstealth VNET(ipstealth) #endif |