3 files changed, 19 insertions, 0 deletions

diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index cc511e4..f03279a 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -364,6 +364,17 @@ options 	INET6			#IPv6 communications protocols
 options 	IPSEC			#IP security
 options 	IPSEC_ESP		#IP security (crypto; define w/ IPSEC)
 options 	IPSEC_DEBUG		#debug for IP security
+#
+# Set IPSEC_FILTERGIF to force packets coming through a gif tunnel
+# to be processed by any configured packet filtering (ipfw, ipf).
+# The default is that packets coming from a tunnel are _not_ processed;
+# they are assumed trusted.
+#
+# Note that enabling this can be problematic as there are no mechanisms
+# in place for distinguishing packets coming out of a tunnel (e.g. no
+# encX devices as found on openbsd).
+#
+#options 	IPSEC_FILTERGIF		#filter ipsec packets from a tunnel
 
 #options 	FAST_IPSEC		#new IPsec (cannot define w/ IPSEC)
 
diff --git a/sys/conf/options b/sys/conf/options
index 4ec220d..7a16efc 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -327,6 +327,7 @@ INET6			opt_inet6.h
 IPSEC			opt_ipsec.h
 IPSEC_ESP		opt_ipsec.h
 IPSEC_DEBUG		opt_ipsec.h
+IPSEC_FILTERGIF		opt_ipsec.h
 FAST_IPSEC		opt_ipsec.h
 IPDIVERT
 DUMMYNET		opt_ipdn.h
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 04aa1c3..7e1ed1f 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -427,6 +427,13 @@ tooshort:
 		} else
 			m_adj(m, ip->ip_len - m->m_pkthdr.len);
 	}
+#if defined(IPSEC) && !defined(IPSEC_FILTERGIF)
+	/*
+	 * Bypass packet filtering for packets from a tunnel (gif).
+	 */
+	if (ipsec_gethist(m, NULL))
+		goto pass;
+#endif
 
 	/*
 	 * IpHack's section.