diff options
author | thompsa <thompsa@FreeBSD.org> | 2006-06-26 22:30:08 +0000 |
---|---|---|
committer | thompsa <thompsa@FreeBSD.org> | 2006-06-26 22:30:08 +0000 |
commit | 320c8e5164d793a94bf5d538add0abe0d4f665ca (patch) | |
tree | ad08e122ba3a5390ec867d258e80d618c4727731 /sys/netipsec/ipsec_output.c | |
parent | f0555f2de979cc15b2f5899edf00461f6d7ead98 (diff) | |
download | FreeBSD-src-320c8e5164d793a94bf5d538add0abe0d4f665ca.zip FreeBSD-src-320c8e5164d793a94bf5d538add0abe0d4f665ca.tar.gz |
Add a pseudo interface for packet filtering IPSec connections before or after
encryption. There are two functions, a bpf tap which has a basic header with
the SPI number which our current tcpdump knows how to display, and handoff to
pfil(9) for packet filtering.
Obtained from: OpenBSD
Based on: kern/94829
No objections: arch, net
MFC after: 1 month
Diffstat (limited to 'sys/netipsec/ipsec_output.c')
-rw-r--r-- | sys/netipsec/ipsec_output.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index 788e07a..51dce82 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -32,6 +32,7 @@ #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" +#include "opt_enc.h" #include <sys/param.h> #include <sys/systm.h> @@ -358,6 +359,13 @@ ipsec4_process_packet( goto bad; sav = isr->sav; + +#ifdef DEV_ENC + /* pass the mbuf to enc0 for packet filtering */ + if ((error = ipsec_filter(&m, 2)) != 0) + goto bad; +#endif + if (!tunalready) { union sockaddr_union *dst = &sav->sah->saidx.dst; int setdf; @@ -455,6 +463,11 @@ ipsec4_process_packet( } } +#ifdef DEV_ENC + /* pass the mbuf to enc0 for bpf processing */ + ipsec_bpf(m, sav, AF_INET); +#endif + /* * Dispatch to the appropriate IPsec transform logic. The * packet will be returned for transmission after crypto |