From cd6535554e503550ca26a3ad8290147c8655013d Mon Sep 17 00:00:00 2001
From: gnn <gnn@FreeBSD.org>
Date: Thu, 4 Feb 2016 22:53:12 +0000
Subject: MFC: r290383,295282,295283

Replace the fastforward path with tryforward which does not require a
sysctl and will always be on. The former split between default and
fast forwarding is removed by this commit while preserving the ability
to use all network stack features.

Differential Revision:	https://reviews.freebsd.org/D4042
Reviewed by:	ae, melifaro, olivier, rwatson
Approved by:	re (glebius)
Sponsored by:	Rubicon Communications (Netgate)
---
 sys/netinet/ip_input.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'sys/netinet/ip_input.c')

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 2dc080f..0b29d49 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -77,6 +77,8 @@ __FBSDID("$FreeBSD$");
 #include <netinet/ip_carp.h>
 #ifdef IPSEC
 #include <netinet/ip_ipsec.h>
+#include <netipsec/ipsec.h>
+#include <netipsec/key.h>
 #endif /* IPSEC */
 
 #include <sys/socketvar.h>
@@ -464,12 +466,22 @@ tooshort:
 		} else
 			m_adj(m, ip_len - m->m_pkthdr.len);
 	}
+	/* Try to forward the packet, but if we fail continue */
 #ifdef IPSEC
+	/* For now we do not handle IPSEC in tryforward. */
+	if (!key_havesp(IPSEC_DIR_INBOUND) && !key_havesp(IPSEC_DIR_OUTBOUND) &&
+	    (V_ipforwarding == 1))
+		if (ip_tryforward(m) == NULL)
+			return;
 	/*
 	 * Bypass packet filtering for packets previously handled by IPsec.
 	 */
 	if (ip_ipsec_filtertunnel(m))
 		goto passin;
+#else
+	if (V_ipforwarding == 1)
+		if (ip_tryforward(m) == NULL)
+			return;
 #endif /* IPSEC */
 
 	/*
-- 
cgit v1.1