MFC r282132:

Since PFIL can change mbuf pointer, we should update pointers after calling ipsec_filter(). Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
author: Luiz Otavio O Souza <luiz@netgate.com> 2015-09-15 15:37:13 -0500
committer: Luiz Otavio O Souza <luiz@netgate.com> 2015-10-20 12:03:00 -0500
commit: 20319db2373357495f7c1c01ad69af30684d8b36 (patch)
tree: 95f9adfe13b277bf864729ea7a304820b79fc9a2 /sys/netipsec/ipsec_output.c
parent: 2917c4bbfaa45cf1c60803a533b666734f1f5737 (diff)
download: FreeBSD-src-20319db2373357495f7c1c01ad69af30684d8b36.zip
FreeBSD-src-20319db2373357495f7c1c01ad69af30684d8b36.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
index 288770c..8bf4d08 100644
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@@ -577,6 +577,7 @@ ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
 	/* pass the mbuf to enc0 for packet filtering */
 	if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_BEFORE)) != 0)
 		goto bad;
+	ip = mtod(m, struct ip *);
 #endif
 	/* Do the appropriate encapsulation, if necessary */
 	if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */
@@ -698,6 +699,7 @@ ipsec6_process_packet(struct mbuf *m, struct ipsecrequest *isr)
 	/* pass the mbuf to enc0 for packet filtering */
 	if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_BEFORE)) != 0)
 		goto bad;
+	ip6 = mtod(m, struct ip6_hdr *);
 #endif /* DEV_ENC */
 
 	/* Do the appropriate encapsulation, if necessary */
author	Luiz Otavio O Souza <luiz@netgate.com>	2015-09-15 15:37:13 -0500
committer	Luiz Otavio O Souza <luiz@netgate.com>	2015-10-20 12:03:00 -0500
commit	20319db2373357495f7c1c01ad69af30684d8b36 (patch)
tree	95f9adfe13b277bf864729ea7a304820b79fc9a2 /sys/netipsec/ipsec_output.c
parent	2917c4bbfaa45cf1c60803a533b666734f1f5737 (diff)
download	FreeBSD-src-20319db2373357495f7c1c01ad69af30684d8b36.zip FreeBSD-src-20319db2373357495f7c1c01ad69af30684d8b36.tar.gz