diff options
| author | bz <bz@FreeBSD.org> | 2009-05-23 16:42:38 +0000 |
|---|---|---|
| committer | bz <bz@FreeBSD.org> | 2009-05-23 16:42:38 +0000 |
| commit | 9642ff6e283a56096187f128604a36cf5e445825 (patch) | |
| tree | af224eeb2132573550696e499948967fb4a2e0d7 /sys/netinet | |
| parent | dc84aec17116643eb20765e9bb3f4818bd52e4f4 (diff) | |
| download | FreeBSD-src-9642ff6e283a56096187f128604a36cf5e445825.zip FreeBSD-src-9642ff6e283a56096187f128604a36cf5e445825.tar.gz | |
Add sysctls to toggle the behaviour of the (former) IPSEC_FILTERTUNNEL
kernel option.
This also permits tuning of the option per virtual network stack, as
well as separately per inet, inet6.
The kernel option is left for a transition period, marked deprecated,
and will be removed soon.
Initially requested by: phk (1 year 1 day ago)
MFC after: 4 weeks
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/ip_ipsec.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/sys/netinet/ip_ipsec.c b/sys/netinet/ip_ipsec.c index 45364a8..ab5d22d 100644 --- a/sys/netinet/ip_ipsec.c +++ b/sys/netinet/ip_ipsec.c @@ -71,6 +71,10 @@ __FBSDID("$FreeBSD$"); extern struct protosw inetsw[]; +#ifdef VIMAGE_GLOBALS +int ip4_ipsec_filtertunnel; +#endif + /* * Check if we have to jump over firewall processing for this packet. * Called from ip_input(). @@ -79,11 +83,14 @@ extern struct protosw inetsw[]; int ip_ipsec_filtertunnel(struct mbuf *m) { -#if defined(IPSEC) && !defined(IPSEC_FILTERTUNNEL) +#if defined(IPSEC) + INIT_VNET_IPSEC(curvnet); + /* * Bypass packet filtering for packets from a tunnel. */ - if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) + if (!V_ip4_ipsec_filtertunnel && + m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) return 1; #endif return 0; |
