From 5e6268df600406a1570e822ac652576059d820e3 Mon Sep 17 00:00:00 2001
From: Luiz Otavio O Souza <luiz@netgate.com>
Date: Fri, 6 Nov 2015 07:40:52 -0600
Subject: MFC r290383:

Replace the fastforward path with tryforward which does not require a
sysctl and will always be on. The former split between default and
fast forwarding is removed by this commit while preserving the ability
to use all network stack features.

Differential Revision:	https://reviews.freebsd.org/D4042
Reviewed by:	ae, melifaro, olivier, rwatson
MFC after:	1 month
Sponsored by:	Rubicon Communications (Netgate)

TAG:		tryforward
---
 sys/netinet/ip_input.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'sys/netinet/ip_input.c')

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 287417c..5b2e544 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -77,6 +77,8 @@ __FBSDID("$FreeBSD$");
 #include <netinet/ip_carp.h>
 #ifdef IPSEC
 #include <netinet/ip_ipsec.h>
+#include <netipsec/ipsec.h>
+#include <netipsec/key.h>
 #endif /* IPSEC */
 
 #include <sys/socketvar.h>
@@ -467,12 +469,23 @@ tooshort:
 		} else
 			m_adj(m, ip_len - m->m_pkthdr.len);
 	}
+
+	/* Try to forward the packet, but if we fail continue */
 #ifdef IPSEC
+	/* For now we do not handle IPSEC in tryforward. */
+	if (!key_havesp(IPSEC_DIR_INBOUND) && !key_havesp(IPSEC_DIR_OUTBOUND) &&
+	    (V_ipforwarding == 1))
+		if (ip_tryforward(m) == NULL)
+			return;
 	/*
 	 * Bypass packet filtering for packets previously handled by IPsec.
 	 */
 	if (ip_ipsec_filtertunnel(m))
 		goto passin;
+#else
+	if (V_ipforwarding == 1)
+		if (ip_tryforward(m) == NULL)
+			return;
 #endif /* IPSEC */
 
 	/*
-- 
cgit v1.1