From 7c17fc70241a215de420457e10a510834441b90f Mon Sep 17 00:00:00 2001
From: Renato Botelho <renato@netgate.com>
Date: Mon, 22 Feb 2016 17:14:03 -0300
Subject: Revert "Revert 295285 which was an MFC of the tryforward work
 (r290383,295282,295283)"

We are keeping tryforward enabled on pfSense since we do not use IPFW +
NAT

This reverts commit b899cad3faf3673f41a3fcf021164dcd7ee19a7e.
---
 sys/netinet/ip_input.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'sys/netinet/ip_input.c')

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 287417c..1eefadc 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -77,6 +77,8 @@ __FBSDID("$FreeBSD$");
 #include <netinet/ip_carp.h>
 #ifdef IPSEC
 #include <netinet/ip_ipsec.h>
+#include <netipsec/ipsec.h>
+#include <netipsec/key.h>
 #endif /* IPSEC */
 
 #include <sys/socketvar.h>
@@ -467,12 +469,22 @@ tooshort:
 		} else
 			m_adj(m, ip_len - m->m_pkthdr.len);
 	}
+	/* Try to forward the packet, but if we fail continue */
 #ifdef IPSEC
+	/* For now we do not handle IPSEC in tryforward. */
+	if (!key_havesp(IPSEC_DIR_INBOUND) && !key_havesp(IPSEC_DIR_OUTBOUND) &&
+	    (V_ipforwarding == 1))
+		if (ip_tryforward(m) == NULL)
+			return;
 	/*
 	 * Bypass packet filtering for packets previously handled by IPsec.
 	 */
 	if (ip_ipsec_filtertunnel(m))
 		goto passin;
+#else
+	if (V_ipforwarding == 1)
+		if (ip_tryforward(m) == NULL)
+			return;
 #endif /* IPSEC */
 
 	/*
-- 
cgit v1.1