diff options
| author | ae <ae@FreeBSD.org> | 2014-11-05 09:23:29 +0000 |
|---|---|---|
| committer | ae <ae@FreeBSD.org> | 2014-11-05 09:23:29 +0000 |
| commit | 6933957ccb7c9d3685e51d3aae7e3a8ab8d91c8f (patch) | |
| tree | 4c59a543f83db7eb244721ea9d542127873cf105 /sys/netipsec/xform_ipip.c | |
| parent | f5ef39c5536cbd1ec407ea4507e695db17fe32c1 (diff) | |
| download | FreeBSD-src-6933957ccb7c9d3685e51d3aae7e3a8ab8d91c8f.zip FreeBSD-src-6933957ccb7c9d3685e51d3aae7e3a8ab8d91c8f.tar.gz | |
MFC r266800 by vanhu:
IPv4-in-IPv6 and IPv6-in-IPv4 IPsec tunnels.
For IPv6-in-IPv4, you may need to do the following command
on the tunnel interface if it is configured as IPv4 only:
ifconfig <interface> inet6 -ifdisabled
Code logic inspired from NetBSD.
PR: kern/169438
MC r266822 by bz:
Use IPv4 statistics in ipsec4_process_packet() rather than the IPv6
version. This also unbreaks the NOINET6 builds after r266800.
MFC r268083 by zec:
The assumption in ipsec4_process_packet() that the payload may be
only IPv4 is wrong, so check the IP version before mangling the
payload header.
MFC r272394:
Do not strip outer header when operating in transport mode.
Instead requeue mbuf back to IPv4 protocol handler. If there is one extra IP-IP
encapsulation, it will be handled with tunneling interface. And thus proper
interface will be exposed into mbuf's rcvif. Also, tcpdump that listens on tunneling
interface will see packets in both directions.
PR: 194761
Diffstat (limited to 'sys/netipsec/xform_ipip.c')
| -rw-r--r-- | sys/netipsec/xform_ipip.c | 27 |
1 files changed, 5 insertions, 22 deletions
diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c index 3e1fc1f..01a6af8 100644 --- a/sys/netipsec/xform_ipip.c +++ b/sys/netipsec/xform_ipip.c @@ -308,26 +308,6 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) /* Statistics */ IPIPSTAT_ADD(ipips_ibytes, m->m_pkthdr.len - iphlen); -#ifdef DEV_ENC - switch (v >> 4) { -#ifdef INET - case 4: - ipsec_bpf(m, NULL, AF_INET, ENC_IN|ENC_AFTER); - break; -#endif -#ifdef INET6 - case 6: - ipsec_bpf(m, NULL, AF_INET6, ENC_IN|ENC_AFTER); - break; -#endif - default: - panic("%s: bogus ip version %u", __func__, v>>4); - } - /* pass the mbuf to enc0 for packet filtering */ - if (ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_AFTER) != 0) - return; -#endif - /* * Interface pointer stays the same; if no IPsec processing has * been done (or will be done), this will point to a normal @@ -507,10 +487,13 @@ ipip_output( ip6o->ip6_vfc &= ~IPV6_VERSION_MASK; ip6o->ip6_vfc |= IPV6_VERSION; ip6o->ip6_plen = htons(m->m_pkthdr.len); - ip6o->ip6_hlim = V_ip_defttl; + ip6o->ip6_hlim = IPV6_DEFHLIM; ip6o->ip6_dst = saidx->dst.sin6.sin6_addr; ip6o->ip6_src = saidx->src.sin6.sin6_addr; + /* Fix payload length */ + ip6o->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6)); + switch (tp) { #ifdef INET case IPVERSION: @@ -541,7 +524,7 @@ ipip_output( } otos = 0; - ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); + ip_ecn_ingress(V_ip6_ipsec_ecn, &otos, &itos); ip6o->ip6_flow |= htonl((u_int32_t) otos << 20); break; #endif /* INET6 */ |
