diff options
author | thompsa <thompsa@FreeBSD.org> | 2006-06-26 22:30:08 +0000 |
---|---|---|
committer | thompsa <thompsa@FreeBSD.org> | 2006-06-26 22:30:08 +0000 |
commit | 320c8e5164d793a94bf5d538add0abe0d4f665ca (patch) | |
tree | ad08e122ba3a5390ec867d258e80d618c4727731 /sys/netipsec/ipsec_input.c | |
parent | f0555f2de979cc15b2f5899edf00461f6d7ead98 (diff) | |
download | FreeBSD-src-320c8e5164d793a94bf5d538add0abe0d4f665ca.zip FreeBSD-src-320c8e5164d793a94bf5d538add0abe0d4f665ca.tar.gz |
Add a pseudo interface for packet filtering IPSec connections before or after
encryption. There are two functions, a bpf tap which has a basic header with
the SPI number which our current tcpdump knows how to display, and handoff to
pfil(9) for packet filtering.
Obtained from: OpenBSD
Based on: kern/94829
No objections: arch, net
MFC after: 1 month
Diffstat (limited to 'sys/netipsec/ipsec_input.c')
-rw-r--r-- | sys/netipsec/ipsec_input.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index 753b78a..24bc1c3 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -43,6 +43,7 @@ #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" +#include "opt_enc.h" #include <sys/param.h> #include <sys/systm.h> @@ -442,6 +443,18 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, key_sa_recordxfer(sav, m); /* record data transfer */ +#ifdef DEV_ENC + /* + * Pass the mbuf to enc0 for bpf and pfil. We will filter the IPIP + * packet later after it has been decapsulated. + */ + ipsec_bpf(m, sav, AF_INET); + + if (prot != IPPROTO_IPIP) + if ((error = ipsec_filter(&m, 1)) != 0) + return (error); +#endif + /* * Re-dispatch via software interrupt. */ |