Add a pseudo interface for packet filtering IPSec connections before or after

encryption. There are two functions, a bpf tap which has a basic header with the SPI number which our current tcpdump knows how to display, and handoff to pfil(9) for packet filtering. Obtained from: OpenBSD Based on: kern/94829 No objections: arch, net MFC after: 1 month
author: thompsa <thompsa@FreeBSD.org> 2006-06-26 22:30:08 +0000
committer: thompsa <thompsa@FreeBSD.org> 2006-06-26 22:30:08 +0000
commit: 320c8e5164d793a94bf5d538add0abe0d4f665ca (patch)
tree: ad08e122ba3a5390ec867d258e80d618c4727731 /sys/netipsec/xform_ipip.c
parent: f0555f2de979cc15b2f5899edf00461f6d7ead98 (diff)
download: FreeBSD-src-320c8e5164d793a94bf5d538add0abe0d4f665ca.zip
FreeBSD-src-320c8e5164d793a94bf5d538add0abe0d4f665ca.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c
index 4bb0b54..8191009 100644
--- a/sys/netipsec/xform_ipip.c
+++ b/sys/netipsec/xform_ipip.c
@@ -41,6 +41,7 @@
  */
 #include "opt_inet.h"
 #include "opt_inet6.h"
+#include "opt_enc.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -345,6 +346,12 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
 	/* Statistics */
 	ipipstat.ipips_ibytes += m->m_pkthdr.len - iphlen;
 
+#ifdef DEV_ENC
+	/* pass the mbuf to enc0 for packet filtering */
+	if (ipsec_filter(&m, 1) != 0)
+		return;
+#endif
+
 	/*
 	 * Interface pointer stays the same; if no IPsec processing has
 	 * been done (or will be done), this will point to a normal
author	thompsa <thompsa@FreeBSD.org>	2006-06-26 22:30:08 +0000
committer	thompsa <thompsa@FreeBSD.org>	2006-06-26 22:30:08 +0000
commit	320c8e5164d793a94bf5d538add0abe0d4f665ca (patch)
tree	ad08e122ba3a5390ec867d258e80d618c4727731 /sys/netipsec/xform_ipip.c
parent	f0555f2de979cc15b2f5899edf00461f6d7ead98 (diff)
download	FreeBSD-src-320c8e5164d793a94bf5d538add0abe0d4f665ca.zip FreeBSD-src-320c8e5164d793a94bf5d538add0abe0d4f665ca.tar.gz