diff options
| author | Renato Botelho <renato@netgate.com> | 2015-08-17 13:52:58 -0300 |
|---|---|---|
| committer | Renato Botelho <renato@netgate.com> | 2015-08-17 13:52:58 -0300 |
| commit | 5b128f054452e56b96564210c998510e0dd45130 (patch) | |
| tree | 6f79ca547f337c0d9b9dc90822fa8e02e2641c2e /sys/netipsec/ipsec_output.c | |
| parent | 570dae5561e54cd2703f546b04a3fa029c92dc62 (diff) | |
| download | FreeBSD-src-5b128f054452e56b96564210c998510e0dd45130.zip FreeBSD-src-5b128f054452e56b96564210c998510e0dd45130.tar.gz | |
Importing pfSense patch ipsec_altq.RELENG_10.diff
Diffstat (limited to 'sys/netipsec/ipsec_output.c')
| -rw-r--r-- | sys/netipsec/ipsec_output.c | 27 |
1 files changed, 23 insertions, 4 deletions
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index 442fb7a..33b84e0 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -43,6 +43,11 @@ #include <sys/errno.h> #include <sys/syslog.h> +#ifdef DEV_ENC +#include <altq/if_altq.h> +#include <netpfil/pf/pf_mtag.h> +#endif + #include <net/if.h> #include <net/pfil.h> #include <net/vnet.h> @@ -98,6 +103,7 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) struct m_tag *mtag; struct secasvar *sav; struct secasindex *saidx; + struct pf_mtag *atag = NULL; int error; IPSEC_ASSERT(m != NULL, ("null mbuf")); @@ -189,6 +195,15 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) } key_sa_recordxfer(sav, m); /* record data transfer */ +#ifdef DEV_ENC + if (saidx->qid && (atag = pf_find_mtag(m)) != NULL) { + atag->qid = saidx->qid; + /* add hints for ecn */ + atag->af = saidx->dst.sa.sa_family; + atag->hdr = NULL; /* This should be safe! */ + } +#endif + /* * We're done with IPsec processing, transmit the packet using the * appropriate network protocol (IP or IPv6). SPD lookup will be @@ -455,7 +470,8 @@ ipsec4_process_packet( /* pass the mbuf to enc0 for bpf processing */ ipsec_bpf(m, sav, AF_INET, ENC_OUT|ENC_BEFORE); /* pass the mbuf to enc0 for packet filtering */ - if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_BEFORE)) != 0) + if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_OUT, + ENC_OUT|ENC_BEFORE)) != 0) goto bad; #endif @@ -554,7 +570,8 @@ ipsec4_process_packet( /* pass the mbuf to enc0 for bpf processing */ ipsec_bpf(m, sav, sav->sah->saidx.dst.sa.sa_family, ENC_OUT|ENC_AFTER); /* pass the mbuf to enc0 for packet filtering */ - if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_AFTER)) != 0) + if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_OUT, + ENC_OUT|ENC_AFTER)) != 0) goto bad; #endif @@ -657,7 +674,8 @@ ipsec6_process_packet( /* pass the mbuf to enc0 for bpf processing */ ipsec_bpf(m, isr->sav, AF_INET6, ENC_OUT|ENC_BEFORE); /* pass the mbuf to enc0 for packet filtering */ - if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_BEFORE)) != 0) + if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_OUT, + ENC_OUT|ENC_BEFORE)) != 0) goto bad; #endif /* DEV_ENC */ @@ -709,7 +727,8 @@ ipsec6_process_packet( #ifdef DEV_ENC ipsec_bpf(m, isr->sav, dst->sa.sa_family, ENC_OUT|ENC_AFTER); /* pass the mbuf to enc0 for packet filtering */ - if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_AFTER)) != 0) + if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_OUT, + ENC_OUT|ENC_AFTER)) != 0) goto bad; #endif /* DEV_ENC */ |
