summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--sys/netinet/ip_input.c11
-rw-r--r--sys/netinet/ip_ipsec.c38
-rw-r--r--sys/netinet6/ip6_ipsec.c35
3 files changed, 30 insertions, 54 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index ad1e7eb..287417c 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -676,10 +676,6 @@ passin:
IPSTAT_INC(ips_cantforward);
m_freem(m);
} else {
-#ifdef IPSEC
- if (ip_ipsec_fwd(m))
- goto bad;
-#endif /* IPSEC */
ip_forward(m, dchg);
}
return;
@@ -1357,6 +1353,13 @@ ip_forward(struct mbuf *m, int srcrt)
m_freem(m);
return;
}
+#ifdef IPSEC
+ if (ip_ipsec_fwd(m) != 0) {
+ IPSTAT_INC(ips_cantforward);
+ m_freem(m);
+ return;
+ }
+#endif /* IPSEC */
#ifdef IPSTEALTH
if (!V_ipstealth) {
#endif
diff --git a/sys/netinet/ip_ipsec.c b/sys/netinet/ip_ipsec.c
index d6bf068..ff28057 100644
--- a/sys/netinet/ip_ipsec.c
+++ b/sys/netinet/ip_ipsec.c
@@ -100,41 +100,27 @@ ip_ipsec_filtertunnel(struct mbuf *m)
/*
* Check if this packet has an active SA and needs to be dropped instead
* of forwarded.
- * Called from ip_input().
+ * Called from ip_forward().
* 1 = drop packet, 0 = forward packet.
*/
int
ip_ipsec_fwd(struct mbuf *m)
{
- struct m_tag *mtag;
- struct tdb_ident *tdbi;
struct secpolicy *sp;
int error;
- mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
- if (mtag != NULL) {
- tdbi = (struct tdb_ident *)(mtag + 1);
- sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
- } else {
- sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
- IP_FORWARDING, &error);
- }
- if (sp == NULL) { /* NB: can happen if error */
- /*XXX error stat???*/
- DPRINTF(("ip_input: no SP for forwarding\n")); /*XXX*/
- return 1;
- }
-
- /*
- * Check security policy against packet attributes.
- */
- error = ipsec_in_reject(sp, m);
- KEY_FREESP(&sp);
- if (error) {
- IPSTAT_INC(ips_cantforward);
- return 1;
+ sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
+ IP_FORWARDING, &error);
+ if (sp != NULL) {
+ /*
+ * Check security policy against packet attributes.
+ */
+ error = ipsec_in_reject(sp, m);
+ KEY_FREESP(&sp);
}
- return 0;
+ if (error != 0)
+ return (1);
+ return (0);
}
/*
diff --git a/sys/netinet6/ip6_ipsec.c b/sys/netinet6/ip6_ipsec.c
index 9d84349..d756103 100644
--- a/sys/netinet6/ip6_ipsec.c
+++ b/sys/netinet6/ip6_ipsec.c
@@ -124,35 +124,22 @@ int
ip6_ipsec_fwd(struct mbuf *m)
{
#ifdef IPSEC
- struct m_tag *mtag;
- struct tdb_ident *tdbi;
struct secpolicy *sp;
int error;
- mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
- if (mtag != NULL) {
- tdbi = (struct tdb_ident *)(mtag + 1);
- sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
- } else {
- sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
- IP_FORWARDING, &error);
- }
- if (sp == NULL) { /* NB: can happen if error */
- /*XXX error stat???*/
- DPRINTF(("%s: no SP for forwarding\n", __func__)); /*XXX*/
- return 1;
- }
- /*
- * Check security policy against packet attributes.
- */
- error = ipsec_in_reject(sp, m);
- KEY_FREESP(&sp);
- if (error) {
- IP6STAT_INC(ip6s_cantforward);
- return 1;
+ sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
+ IP_FORWARDING, &error);
+ if (sp != NULL) {
+ /*
+ * Check security policy against packet attributes.
+ */
+ error = ipsec_in_reject(sp, m);
+ KEY_FREESP(&sp);
}
+ if (error != 0)
+ return (1);
#endif /* IPSEC */
- return 0;
+ return (0);
}
/*
OpenPOWER on IntegriCloud