1 files changed, 16 insertions, 4 deletions

diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index 15de8ed..f5e6cb2 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -119,6 +119,7 @@ __FBSDID("$FreeBSD$");
 #include <netinet6/in6_rss.h>
 
 #ifdef IPSEC
+#include <netipsec/key.h>
 #include <netipsec/ipsec.h>
 #include <netinet6/ip6_ipsec.h>
 #include <netipsec/ipsec6.h>
@@ -558,6 +559,12 @@ ip6_input(struct mbuf *m)
 	int nxt, ours = 0;
 	int srcrt = 0;
 
+	/*
+	 * Drop the packet if IPv6 operation is disabled on the interface.
+	 */
+	if ((ND_IFINFO(m->m_pkthdr.rcvif)->flags & ND6_IFF_IFDISABLED))
+		goto bad;
+
 #ifdef IPSEC
 	/*
 	 * should the inner packet be considered authentic?
@@ -601,10 +608,6 @@ ip6_input(struct mbuf *m)
 			IP6STAT_INC(ip6s_m1);
 	}
 
-	/* drop the packet if IPv6 operation is disabled on the IF */
-	if ((ND_IFINFO(m->m_pkthdr.rcvif)->flags & ND6_IFF_IFDISABLED))
-		goto bad;
-
 	in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_receive);
 	IP6STAT_INC(ip6s_total);
 
@@ -732,12 +735,21 @@ ip6_input(struct mbuf *m)
 		goto bad;
 	}
 #endif
+	/* Try to forward the packet, but if we fail continue */
 #ifdef IPSEC
+	if (V_ip6_forwarding != 0 && !key_havesp(IPSEC_DIR_INBOUND) &&
+	    !key_havesp(IPSEC_DIR_OUTBOUND))
+		if (ip6_tryforward(m) == NULL)
+			return;
 	/*
 	 * Bypass packet filtering for packets previously handled by IPsec.
 	 */
 	if (ip6_ipsec_filtertunnel(m))
 		goto passin;
+#else
+	if (V_ip6_forwarding != 0)
+		if (ip6_tryforward(m) == NULL)
+			return;
 #endif /* IPSEC */
 
 	/*