diff options
Diffstat (limited to 'sys/netipsec/ipsec_input.c')
| -rw-r--r-- | sys/netipsec/ipsec_input.c | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index 66de530..405806f 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -353,8 +353,9 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, encif->if_ibytes += m->m_pkthdr.len; /* Pass the mbuf to enc0 for bpf and pfil. */ - ipsec_bpf(m, sav, AF_INET, ENC_IN|ENC_BEFORE); - if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0) + ipsec_bpf(m, sav, AF_INET, saidx->mode == IPSEC_MODE_TRANSPORT ? ENC_IN|ENC_AFTER : ENC_IN|ENC_BEFORE); + if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN, + saidx->mode == IPSEC_MODE_TRANSPORT ? ENC_IN|ENC_AFTER : ENC_IN|ENC_BEFORE)) != 0) return (error); #endif /* DEV_ENC */ @@ -498,7 +499,8 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, ipsec_bpf(m, sav, AF_INET6, ENC_IN|ENC_AFTER); #endif - if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_AFTER)) != 0) + if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN, + ENC_IN|ENC_AFTER)) != 0) return (error); #endif /* DEV_ENC */ @@ -523,7 +525,10 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, goto bad; } - error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m); + if (V_ipsec_direct_dispatch) + error = netisr_dispatch_src(isr_prot, (uintptr_t)sav->spi, m); + else + error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m); if (error) { IPSEC_ISTAT(sproto, qfull); DPRINTF(("%s: queue full; proto %u packet dropped\n", @@ -652,8 +657,9 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto encif->if_ibytes += m->m_pkthdr.len; /* Pass the mbuf to enc0 for bpf and pfil. */ - ipsec_bpf(m, sav, AF_INET6, ENC_IN|ENC_BEFORE); - if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0) + ipsec_bpf(m, sav, AF_INET6, saidx->mode == IPSEC_MODE_TRANSPORT ? ENC_IN|ENC_AFTER : ENC_IN|ENC_BEFORE); + if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN, + saidx->mode == IPSEC_MODE_TRANSPORT ? ENC_IN|ENC_AFTER : ENC_IN|ENC_BEFORE)) != 0) return (error); #endif /* DEV_ENC */ @@ -782,7 +788,8 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto if (prot == IPPROTO_IPV6) ipsec_bpf(m, sav, AF_INET6, ENC_IN|ENC_AFTER); - if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_AFTER)) != 0) + if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN, + ENC_IN|ENC_AFTER)) != 0) return (error); #endif /* DEV_ENC */ /* |
